Re: [clamav-users] Grizzly Steppe

[TR Shaw]

I have offered sigs to ClamAV official but have heard nothing back yet.

> On Jan 4, 2017, at 6:52 PM, Eric Tykwinski  wrote:
> 
> This was my concern about Cisco’s AMP product on ASA’s and NGIPS’s.  I’m 
> going to be beta testing stuff out shortly, but don’t have high hopes besides 
> the Snort rules.
> 
> Sincerely,
> 
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
> 
>> On Jan 4, 2017, at 6:23 PM, Reindl Harald  wrote:
>> 
>> 
>> 
>> Am 04.01.2017 um 23:12 schrieb Al Varnell:
>>> Can somebody with access to those samples run them against a virgin ClamAV 
>>> signature database to answer the question?  I'd be happy to if there are 
>>> samples I can access.
>> 
>> official, virgin signatures don't and probably will never recognize recent 
>> malware and following this list you should know this already
>> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

[TR Shaw]

Doesn’t detect to RAT

Al, if you don’t want to run my unofficial sigs I would be happy to provide 
them to Joel for incorporation into official db.



> On Jan 4, 2017, at 5:12 PM, Al Varnell  wrote:
> 
> Can somebody with access to those samples run them against a virgin ClamAV 
> signature database to answer the question?  I'd be happy to if there are 
> samples I can access.
> 
> -Al-
> 
> On Wed, Jan 04, 2017 at 07:33 AM, TR Shaw wrote:
>> 
>> I added detection in winnow_extended_malware.hdb which is distributed is the 
>> sanesecurity feed the day after the JAR was released.  I also searched for 
>> the RAT and added signatures for that as well in winnow_malware_links.ndb
>> 
>> Signatures are identified as winnow.Trojan.GRIZZLY_STEPPE.
>> 
>> Tom
>> 
>> 
>>> On Jan 4, 2017, at 10:26 AM, Andrew McGrath  wrote:
>>> 
>>> I'm being asked a question by our security team that I am struggling
>>> to answer. The question is "Does ClamAV detect Grizzly Steppe?".
>>> 
>>> I've hunted around the archives, support pages and google, but do not
>>> see any discussion about this, could anyone comment?
>>> 
>>> Thank you!
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

[TR Shaw]

I added detection in winnow_extended_malware.hdb which is distributed is the 
sanesecurity feed the day after the JAR was released.  I also searched for the 
RAT and added signatures for that as well in winnow_malware_links.ndb

Signatures are identified as winnow.Trojan.GRIZZLY_STEPPE.

Tom


> On Jan 4, 2017, at 10:26 AM, Andrew McGrath  wrote:
> 
> I'm being asked a question by our security team that I am struggling
> to answer. The question is "Does ClamAV detect Grizzly Steppe?".
> 
> I've hunted around the archives, support pages and google, but do not
> see any discussion about this, could anyone comment?
> 
> Thank you!
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Question on attachments

[TR Shaw]

How does ClamAV decide to unpack an attachment?

In particular this is in reference to the recent Locky attachments that are 
zips but have the attachment extension “dip”

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problems with safe browsing

[TR Shaw]

You missed my point. It was it was a shame that safe browsing sigs only for of 
files that look like email.

> On Nov 11, 2016, at 12:43 AM, Gene Heskett  wrote:
> 
> On Thursday 10 November 2016 17:45:24 TR Shaw wrote:
> 
>> Thanks, all.
>> 
>> However its a real shame that it will not scan generic files looking
>> for bad urls rather than only scanning email files.
>> 
>> I was going to to use clamav to scan disk drives for scripts that used
>> uris in safe browsing So much of that :-(
>> 
>> Tom
> 
> It scans disks just fine, has caught one real, and 2 fp's in the 3 years 
> or so I've been using it. I also have clamscand scanning all incoming 
> emails, and it has quaranteened, in the past year,
> -rw-r--r-- 1 gene mail 113710 Jun  6 08:13 virii
> So there is probably 3, maybe more, attacks in there.  I usually zero 
> that file out on new years day. The clamav tools can do a lot, if used 
> for the jobs they were designed to do.  Read the docs, then read them 
> again.
> 
>>> On Nov 10, 2016, at 3:46 PM, Steve basford
>>>  wrote:
>>> 
>>> Hi Tom,
>>> 
>>> Create a standard header body formatted  email and then insert the
>>> address at the end.
>>> 
>>> It will be detected.  Just placing on a line.. it won't be detected,
>>> 
>>> Cheers,
>>> 
>>> Steve
>>> Twitter: @sanesecurity
>>> 
>>> On 10 November 2016 19:53:05 TR Shaw  wrote:
>>>> I have freshclam set to load safe browsing:
>>>> 
>>>> -rw-r--r--   1 _clamav  admin   57874944 Nov 10 11:51 daily.cld
>>>> -rw-r--r--   1 _clamav  admin  103419904 Nov 10 13:51
>>>> safebrowsing.cld
>>>> 
>>>> I placed http://ianfette[.]org/ in a file safebrowsingtest.txt
>>>> 
>>>> Then I run clam and expect to hit safe browsing but I instead I get
>>>> OK.
>>>> 
>>>> $ clamscan -v safebrowsingtest.txt
>>>> Scanning safebrowsingtest.txt
>>>> safebrowsingtest.txt: OK
>>>> 
>>>> --- SCAN SUMMARY ---
>>>> Known viruses: 8073056
>>>> Engine version: 0.99.2
>>>> Scanned directories: 0
>>>> Scanned files: 1
>>>> Infected files: 0
>>>> Data scanned: 0.00 MB
>>>> Data read: 0.00 MB (ratio 0.00:1)
>>>> Time: 12.567 sec (0 m 12 s)
>>>> 
>>>> When I place http://ianfette[.]org/ in a browser I get the safe
>>>> browsing alert.  Any ideas what I am doing wrong?
>>>> 
>>>> Tom
>>>> 
>>>> 
>>>> ___
>>>> clamav-users mailing list
>>>> clamav-users@lists.clamav.net
>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>> 
>>>> 
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>> 
>>>> http://www.clamav.net/contact.html#ml
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users 
>> <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq 
>> <https://github.com/vrtadmin/clamav-faq>
>> 
>> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> 
> Cheers, Gene Heskett
> -- 
> "There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page <http://geneslinuxbox.net:6309/gene 
> <http://geneslinuxbox.net:6309/gene>>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users 
> <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problems with safe browsing

[TR Shaw]

Thanks, all.

However its a real shame that it will not scan generic files looking for bad 
urls rather than only scanning email files.

I was going to to use clamav to scan disk drives for scripts that used uris in 
safe browsing So much of that :-(

Tom

> On Nov 10, 2016, at 3:46 PM, Steve basford  
> wrote:
> 
> Hi Tom,
> 
> Create a standard header body formatted  email and then insert the address at 
> the end.
> 
> It will be detected.  Just placing on a line.. it won't be detected,
> 
> Cheers,
> 
> Steve
> Twitter: @sanesecurity
> 
> 
> 
> On 10 November 2016 19:53:05 TR Shaw  wrote:
> 
>> I have freshclam set to load safe browsing:
>> 
>> -rw-r--r--   1 _clamav  admin   57874944 Nov 10 11:51 daily.cld
>> -rw-r--r--   1 _clamav  admin  103419904 Nov 10 13:51 safebrowsing.cld
>> 
>> I placed http://ianfette[.]org/ in a file safebrowsingtest.txt
>> 
>> Then I run clam and expect to hit safe browsing but I instead I get OK.
>> 
>> $ clamscan -v safebrowsingtest.txt
>> Scanning safebrowsingtest.txt
>> safebrowsingtest.txt: OK
>> 
>> --- SCAN SUMMARY ---
>> Known viruses: 8073056
>> Engine version: 0.99.2
>> Scanned directories: 0
>> Scanned files: 1
>> Infected files: 0
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 12.567 sec (0 m 12 s)
>> 
>> When I place http://ianfette[.]org/ in a browser I get the safe browsing 
>> alert.  Any ideas what I am doing wrong?
>> 
>> Tom
>> 
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Problems with safe browsing

[TR Shaw]

I have freshclam set to load safe browsing:

-rw-r--r--   1 _clamav  admin   57874944 Nov 10 11:51 daily.cld
-rw-r--r--   1 _clamav  admin  103419904 Nov 10 13:51 safebrowsing.cld

I placed http://ianfette[.]org/ in a file safebrowsingtest.txt

Then I run clam and expect to hit safe browsing but I instead I get OK. 

$ clamscan -v safebrowsingtest.txt 
Scanning safebrowsingtest.txt
safebrowsingtest.txt: OK

--- SCAN SUMMARY ---
Known viruses: 8073056
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 12.567 sec (0 m 12 s)

When I place http://ianfette[.]org/ in a browser I get the safe browsing alert. 
 Any ideas what I am doing wrong?

Tom


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scanning very large files in chunks

[TR Shaw]

Actually there is always a probability that a detection will not occur if you 
beak apart at file into pieces  This is due to the following

1) md5 signatures based upon any file type are applied on any file and match to 
the md4 hash of that file AND the file’s size. If you break apart a file, 
neither the hash nor the file size will match the signature.

2) Complex signatures that a logical grouping of the results of multiple other 
signature detections are the other type that can break if you break a file in 
pieces.

This question of breaking apart files and checking comes up regularly by folks 
who need to support high data rate inputs and still be NIST FISMA compliant and 
the answer is always not you can’t do that.

Tom


> On Aug 12, 2016, at 5:32 PM, sapientdust+cla...@gmail.com wrote:
> 
> On Thu, Aug 11, 2016 at 10:15 AM, G.W. Haywood
> mailto:cla...@jubileegroup.co.uk>> wrote:
>> Hello once again,
>> 
>> On Thu, 11 Aug 2016, sapientdust+cla...@gmail.com wrote:
>> 
>>> I scan a 4.5 GB file in multiple instream calls, by scanning the first
>>> 3 GB in one call, and then making a second instream call that provides
>>> the first N  MB followed by the last 2 GB of the file.
>> 
>> 
>>> Would clamav be expected to work similarly in the two cases in terms
>>> of identifying a virus, assuming the virus is the same in the two
>>> scenarios and it's in ClamAV's database? Or are there technical
>>> reasons why ClamAV wouldn't detect the virus in the second scenario
>>> but would in the first, even though the virus bytes are identical?
>> 
>> 
>> There's a possibility of failing to find it in the second scenario.
>> It's anybody's guess what the probability will be; my guess would be
>> that the probability of that failure would be small compared with the
>> relatively large probability of not finding it at all in both cases.
> 
> I was hoping to hear from a developer, because non-developer "guesses"
> don't help me very much. There is a definite answer to my question,
> but only somebody familiar with the ClamAV code will know the answer.
> 
> From what I've been able to learn based on some emails on the
> developer list, ClamAV specifies virus signatures as either offsets in
> a file of a certain type (and they are only found at that offset), or
> they are specified as a pattern that can appear anywhere in the file.
> I think it most likely that any virus inserted in a very large file
> (multiple GB) would probably be of the second kind, which will be
> recognized if those bytes are scanned anywhere within the file, as
> long as the correct file type is identified. That means that as long
> as the first N bytes are prepended to each chunk so that ClamAV thinks
> each file is a file of the same type, it will identify the virus in a
> block from a large file as reliably as it would identify the same
> virus in a large file that is nevertheless small enough to be scanned
> in one call.
> 
>>> This is a question for clamav developers or those who understand the
>>> codebase sufficiently to know the impact of scanning a partial file.
>> 
>> 
>> I don't think so.  Just think about it a bit:
>> 
>> Much of ClamAV's operation is looking for pattern matches.
>> Suppose you scan a 4.5GB file in two chunks.
>> Suppose half this mysterious 'huge file virus' is in the first chunk.
>> Presumably the other half is in the second chunk.
>> What happens if the pattern is designed to match the entire virus?
> 
> First, the virus itself would not be huge. It would be just a normal
> virus embedded in a large file, where almost all the size is
> legitimate data. Every example I gave since my first email shows the
> chunks being broken up in such a way that your scenario cannot arise,
> because data that would be split is repeated in the next block in such
> a way that it's not split into two pieces in the subsequent block.
> Note above, where I said a 4.5 GB file would be scanned in two calls,
> the first providing bytes 0-3GB, and the second providing the first N
> bytes concatenated with the bytes from 2.5GB-4.5GB. The boundary at
> 3GB is squarely inside the second block and not split across blocks so
> that it's still recognized in its entirety, as long as the virus isn't
> larger than 500MB, which as far as I can tell is always the case for
> the sorts of things that ClamAV can identify.
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> 
> 
> http://www.clamav.net/contact.html#ml 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV and DoD Approval

[TR Shaw]

Actually they approved ClamAV for use in CI PL 4 & 5 since mid 2000s

iPhone says hi!


> On Jul 12, 2016, at 5:55 PM, Albrecht, Thomas C  
> wrote:
> 
> Hi,
> 
> 
> 
> I'm hoping someone on this list can answer this question.  I work as a 
> defense contractor, and one (frustrating) requirement that we've had for 
> years is that we've had to install antivirus tools on our servers, no matter 
> the context or risk.  In addition, they had to be "DoD approved" AV tools, 
> which limited us to McAfee and Symantec.  Recently, a new draft guidance came 
> out for configuring RHEL7 servers, and they had an interesting change to 
> their policy.  We were given the option of having either McAfee AV or ClamAV 
> installed.
> 
> 
> 
> My question is whether anyone in the ClamAV community knows of any guidance 
> or changes in DoD policy that would have made ClamAV an approved AV client.  
> If we could find that supporting guidance that would have led the DoD to 
> change their configuration documentation, it would go a long way in letting 
> me get approval to rip out McAfee.
> 
> 
> 
> Thanks for any info you might have!
> 
> 
> 
> Tom Albrecht
> 
> 
> 
> --
> 
> 
> 
> Tom Albrecht III, CISSP-ISSEP, GPEN
> 
> Cyber Architect, Lockheed Martin MST
> 
> thomas.c.albre...@lmco.com
> 
> 610-906-4356 (mobile)
> 
> 
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Clam & safe browsing question/problem

[TR Shaw]

The following is safebrowsing’s test host name, malware.testing.google[.]test, 
and using google’s test page

https://www.google.com/transparencyreport/safebrowsing/diagnostic/index.html#url=malware.testing.google[.]test

shows that it is listed.

I have enabled safebrowsing in freshclam.cong and checked that safebrowsing.cvd 
has been downloaded and is current.

I checked clamav using clamscan on a file containing EICAR signature and it 
detects. I also check clamd using INSTREAM and piped an EICAR signature to 
clamd and it responded "Eicar-Test-Signature FOUND”

I then created a file containing





http://malware.testing.google[.]test/>http://malware.testing.google[.]test/



and ran it through clamav:

clamscan -v googlesafebrowsingtest.txt

--- SCAN SUMMARY ---
Known viruses: 5826858
Engine version: 0.99
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 10.639 sec (0 m 10 s)

and got no detects. I also checked with INSTREAM and nada.

Any help is appreciated to help me get this going.

Tom

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV - References

[TR Shaw]

You should remind your security dept that ClamAV is owned and maintained by 
Cisco.

> On Apr 18, 2016, at 11:13 AM, Retailleau, Damien (GE Capital) 
>  wrote:
> 
> Hi ClamAV users,
> 
> We are, at GEMB France, currently looking for a solution to scan files upload 
> on our partner portal (Java Development). To do that we have proposed to use 
> ClamAV. However, as a bank, our security department do not like to use such 
> free opensource initiatives.
> 
> To make them adopt ClamAV, I show them shadow server statistics. To go 
> further, I would like to give them an overview of some business companies 
> that already use ClamAV successfully. However, I did not found such 
> information on ClamAV web site. 
> 
> So I would be interested if any one of you have such a piece of information 
> about ClamAV usage in business companies.
> 
> Thank for all,
> 
> Regards
> 
> Damien Retailleau
> Solution Architect
> GE Money France & DOM
> 1 Rue du Chateau de L'Eraudiere, IDAHO
> 44300 NANTES
> 
> Tel : 02 51 89 54 84
>  
> GE Imagination at work
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] winnow FP

[TR Shaw]

Removed when I saw the original message

> On Apr 14, 2016, at 3:22 AM, Paul Whelan  wrote:
> 
> On 13 Apr 2016 at 11:20, Alex wrote:
> 
>> Hi,
>> 
>> I don't understand why themastersbaker.com would be tagged?
>> 
>> # sigtool --find-sigs winnow.spam.ts.untyped.966134 | sigtool --decode-sigs
>> VIRUS NAME: winnow.spam.ts.untyped.966134
> 
> Winnow signatures are distributed by Sanesecurity.com.  They have their own 
> mailing list 
> although Steve does pop-up here as well.
> 
> paul
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] javascript ZIP virus not caught?

[TR Shaw]

AL,

I am seeing lots of different version of ransomware .js downloaders 
(telescript, locky, and many others and variants) for which I have been feeding 
 the CalmAV team and creating sigs pushed out as winnow sigs in Steve’s feed.  
I can tell you that all that I have and am feeding have not been detected by 
ClamAV when I detected them.

> On Mar 15, 2016, at 2:15 PM, Al Varnell  wrote:
> 
> That’s the KeRanger ransomeware which we dealt with last weekend.  Not 
> related to Teslacrypt AFAIK.
> 
> -Al-
> 
> On Tue, Mar 15, 2016 at 10:45 AM, Dennis Peterson wrote:
>> 
>> Already in the wild.
>> 
>> http://www.foxnews.com/tech/2016/03/07/new-mac-os-x-ransomware-targets-apple-users.html
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] 800-53 (Rev. 4) Question {the first}

[TR Shaw]

ClamAV does provide for heuristic detection and its normal ruleset includes 
heuristic rule as does the UNOFFICIAL feeds.It meets the mail for NIST as well 
as DCID (and its followon regs)

Tom

> On Jan 29, 2016, at 7:01 AM, Brad Scalio  wrote:
> 
> Can anyone answer the mail on this control enhancement in NIST 800-53 (Rev.
> 4) and if Clam AV has this in 0.99 release and if not, if anyone has any
> fodder or websites that can explain this more ... again many thanks and if
> this isn't the correct listserver to use for this many apologies.
> 
> SI-3(7)
> MALICIOUS CODE PROTECTION | NONSIGNATURE-BASED DETECTIONThe information
> system implements nonsignature-based malicious code detection mechanisms.
> Supplemental Guidance: Nonsignature-based detection mechanisms include, for
> example, the use of heuristics to detect, analyze, and describe the
> characteristics or behavior of malicious code and to provide safeguards
> against malicious code for which signatures do not yet exist or for which
> existing signatures may not be effective. This includes polymorphic
> malicious code (i.e., code that changes signatures when it replicates).
> This control enhancement does not preclude the use of signature-based
> detection mechanisms.
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] just a little help please

[TR Shaw]

> On Jul 23, 2015, at 9:26 PM, Al Varnell  wrote:
> 
> 
> On Thu, Jul 23, 2015 at 05:28 PM, phoenixcomm wrote:
>> 
>> I am new to clamAV so be gentle.
>> the Tk interface is very nice but I have a problem
>> you have only 2 choices to scan home or everything.
>> you need to add other dir as well..
>> as I have a "public drive" mounted
>> mnt/MyData/public  so how do I scan this dir
>> and my media is
>> mnt/MyMedia/media (lots of movies and music
>> 
>> I have to do this as I use NFS for file sharing and these are my exports
> 
> Perhaps you meant to contact the clamtk developer about this.  I don’t think 
> he’s affiliated in any way with Cisco/ClamAV®
> 
> 

Not to contradict Al but you could just scan using the command line.

Tom


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99b Meets YARA!

[TR Shaw]

Steve I have my own yara rules. Are you going to accept them for rsync?

Tom

On Jun 5, 2015, at 11:02 AM, Steve Basford  
wrote:

> 
> On Wed, June 3, 2015 8:02 pm, Joel Esler (jesler) wrote:
>> 
> 
>> ClamAV 0.99b Meets YARA!
>> The first beta release of ClamAV 0.99 is now on SourceForge! ClamAV 0.99
> 
>> Since this is such a large feature, please help us by downloading, using,
>> and testing this feature and reporting bugs via our usual methods here:
>> http://www.clamav.net/contact.html
> Just catching up on emails...so sorry if this has been posted somewhere...
> 
> Have any windows binaries been put live to test yet?
> 
> Cheers,
> 
> Steve
> Web : sanesecurity.com
> Blog: sanesecurity.blogspot.com
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] http://www.stats.clamav.net

[TR Shaw]

I originally signed on using gmail. However gmail no longer support OpenID 2. 

Per Google, "OpenID 2.0 was replaced by OpenID Connect, and since April 20, 
2015, no longer works for Google Accounts. OpenID 2.0 support was shut down in 
order to focus on the newer open standard OpenID Connect, which provides 
greater security."

Any idea how I can get into my account?

Tom

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Blocking malicious URLs in a local database

[TR Shaw]

your.local.ndb file:
"signame.1:4:*:" . bin2hex("http://bad.domain.com/path";) . "\n";
"signame.2:5:*:" . bin2hex("http://bad.domain.com/path";) . "\n";

On Mar 30, 2015, at 2:34 PM, Dave McMurtrie  wrote:

> Hi,
> 
> Hopefully someone here can steer me in the right direction.  I'm looking for 
> a simple way to be able to create a local signature such that when we become 
> aware of a phishing message targeting our users that contains a malicious 
> URL, I can quickly respond by configuring ClamAV to identify them so we can 
> block them.
> 
> After reading the phishsigs_howto, it looks like adding entries to a 
> local.gdb file would accomplish what I want, but thus far that isn't working 
> for me.  I'm fairly certain that I have the format correct because clamdscan 
> is properly detecting messages with URLs that I put in my local.gdb file.  
> However, clamd is not detecting the URLs when our milter code connects to the 
> clamd socket.  The difference seems to be whether it's in the context of 
> scanning a file or a mail message, since debug output shows me that it's 
> taking a different code path.  I posted to the list earlier with more 
> specific questions about this, but never did track it down.
> 
> My questions:
> 
> 1) Is the local.gdb file even intended for this purpose?
> 
> 2) Is there a better way to accomplish this?
> 
> Thanks!
> 
> Dave
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamXav and Compressed Files

[TR Shaw]

On Mar 29, 2015, at 12:24 PM, G.W. Haywood  wrote:

> Hi there,
> 
> On Sun, 29 Mar 2015, Denis Peterson wrote:
> 
>> ... I meant dd, not cpio. But that won't work either ...
> 
> Does kpartx help?  I use it for mounting bits of assorted disc images,
> mostly when I'm playing around with Windows VMs.
> 

or http://vu1tur.eu.org/tools/ dmg2iso



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamXav and Compressed Files

[TR Shaw]

On Mar 29, 2015, at 1:45 AM, Dennis Peterson  wrote:

> On 3/28/15 10:43 PM, Jinwon Lee wrote:
>> Thanks for that.  I guess ‘Hash Value’ refers to the ClamAV identifying the 
>> .dmg as a known file that contains virus/es.
>> 
>> Jinwon
>> 
>> 
> That was the case too for password protected zip files. If you can't burst 
> the contents you condemn the wrapper.
> 

Not entirely complete as you can tell ClamAV to mark encrypted zip and rar's as 
viruses without having a "sig".

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] url scanner

[TR Shaw]

Sanesecurity's distibution of multiple sourced data (sansesecurity, CRDF, 
winnow and others) have url detections in them but you really need to add SURBL 
and Spamhaus' DBL in content filtering as well.

On Dec 18, 2014, at 11:50 AM, Arnaud Jacques / SecuriteInfo.com 
 wrote:

> Le jeudi 18 décembre 2014, 15:29:13 polloxx a écrit :
>> Since more and more malware is not attached to a mail but only an url to
>> it, detecting it is challenge. Is there any good url scanner avalable for
>> Clamav?
> 
> https://www.malwarepatrol.net
> 
> Their signatures for Clamav are based on URLs. May be a good start.
> 
> -- 
> Best regards,
> 
> Arnaud Jacques
> SecuriteInfo.com
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] url scanner

[TR Shaw]

You need to look into a content filter that can use spamhaus.ro and/or 
surbl.org DNS based RBLs.

On Dec 18, 2014, at 9:40 AM, Steve Basford  
wrote:

> 
> On Thu, December 18, 2014 2:29 pm, polloxx wrote:
>> Since more and more malware is not attached to a mail but only an url to
>> it, detecting it is challenge. Is there any good url scanner avalable for
>> Clamav?
> 
> 
> Millions of years ago...there used to be a clamd.conf MailFollowURLs Yes
> option, which I think used to go away and download from whatever links
> were there.
> 
> Obviously, there's a performace hit etc. from doing that
> 
> Changelog...
> 
> Thu Aug  6 22:26:30 CEST 2009 (tk)
> --
> * clamd, clamscan, libclamav: drop support for MailFollowURLs (bb#1677)
> 
> Cheers,
> 
> Steve
> Sanesecurity.com
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Low detection rate

[TR Shaw]

btw that one should have been detected by winnow (distributed in Steve's rsync 
feed)

On Mar 3, 2014, at 9:03 AM, Larry Stone wrote:

> 
> On Mar 3, 2014, at 7:49 AM, Steve Basford  
> wrote:
> 
>> 
>>> On 03.03.14 12:38, Dennis Peterson wrote:
>>> 
 Did you just send a link to a known infected file to this list?
>>> 
>>> Yes, I sent a link to something I felt people answering my question
>>> would need to be able to see, with some text next to it *specifically
>>> saying it was infected*.
>> 
>> I think a "h t t p" non-clickable link might have been wise though,
>> just in case someone hasn't had their coffee yet and clicks it...yes,
>> I know... but it does happen ;)
> 
> No matter what you do, some MUA’s take anything that looks like it might be a 
> link and turns it into a link. :-( You need to turn @ into at and . into dot 
> and other obfuscations to be fairly sure some MUA won’t make it clickable.
> 
> -- 
> Larry Stone
> lston...@stonejongleux.com
> http://www.stonejongleux.com/
> 
> 
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Low detection rate

[TR Shaw]

Many use hxxp for http or [.] or " dot " for the period in the domain name.

Tom

On Mar 3, 2014, at 9:00 AM, Steve Hill wrote:

> On 03.03.14 13:49, Steve Basford wrote:
> 
>> I think a "h t t p" non-clickable link might have been wise though,
>> just in case someone hasn't had their coffee yet and clicks it...yes,
>> I know... but it does happen ;)
> 
> My apologies - I will keep this in mind in future.
> 
> -- 
> - Steve Hill
>   Technical Director
>   Opendium Limited http://www.opendium.com
> 
> Direct contacts:
>   Instant messager: xmpp:st...@opendium.com
>   Email:st...@opendium.com
>   Phone:sip:st...@opendium.com
> 
> Sales / enquiries contacts:
>   Email:sa...@opendium.com
>   Phone:+44-844-9791439 / sip:sa...@opendium.com
> 
> Support contacts:
>   Email:supp...@opendium.com
>   Phone:+44-844-4844916 / sip:supp...@opendium.com
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Spam bounces from this list

[TR Shaw]

$ nslookup geneslinuxbox.net.multi.uribl.com
Server: 10.0.1.1
Address:10.0.1.1#53

** server can't find geneslinuxbox.net.multi.uribl.com: NXDOMAIN

On Feb 6, 2014, at 4:48 PM, Dennis Peterson wrote:

> I'm not part of your problem or your solution. I don't own the TTL of the 
> records of remote DNS servers (should be under 5 seconds, but ??). However - 
> your domain is no longer listed as of this post time, nor are several others 
> logged today. The vendor may have had problems - their home page suggests 
> they have numerous DNS issues. I think that is fairly normal for black list 
> providers.
> 
> There is nothing I can have done to affect your status with them. The problem 
> did not exist on Feb 03, as I have a post from you on that day. Having once 
> run the world's largest DNS farm for several years this problem looks to me 
> like a DNS server was brought up in the uribl farm but before it had current 
> tables, or a server in the farm that was misbehaving was removed. Other 
> problems may also present these symptoms (expired keys, slaves out of 
> sync...), but the general idea is the same. Stale server data on at least one 
> server in their farm.
> 
> Your problem did alert me to  a configuration issue here. My whitelist 
> information for the Clamav list server had old information in it which I 
> expect is related to the takeover of ClamAV by Sourcefire who was then 
> consumed by Cisco. That whitelist information was put in place 7 or more 
> years ago and until recently it wasn't a problem.
> 
> Perhaps your blackholing problem is an indication of more problems - we can 
> ask the members to repeat the nslookup of your domain to see if others get 
> the results I got below.
> 
> nslookup geneslinuxbox.net.multi.uribl.com should return address not found. 
> If it is 127.0.0.X then there is still an issue.
> 
> dp
> 
> 
> On 2/6/14, 1:09 PM, Gene Heskett wrote:
>> On Thursday 06 February 2014 16:08:01 Dennis Peterson did opine:
>> 
>> Dennis, you seem to be using a very old cache of uribl, I have been cleared
>> from that list for around 6 weeks now.  And whatever you have done, is now
>> black holing my msgs to the list.
>> 
>>> FYI - I had some bounces this week because Gene Heskett's URI in the
>>> following quote is trapped by uribl.com:
>>> 
>>> nslookup geneslinuxbox.net.multi.uribl.com
>>> Server: 127.0.0.1
>>> Address:127.0.0.1#53
>>> 
>>> Non-authoritative answer:
>>> Name:   geneslinuxbox.net.multi.uribl.com
>>> Address: 127.0.0.2
>>> 
>>> This post is also a test for me to see if I've whitelisted the list
>>> server.
>>> 
 Cheers, Gene
 
 --
 
 "There are four boxes to be used in defense of liberty:
  soap, ballot, jury, and ammo. Please use in that order."
 
 -Ed Howdershelt (Author)
 Genes Web page 
>>> 
>>> ___
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> http://www.clamav.net/support/ml
>> 
>> 
>> Cheers, Gene
>> 
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] Submissions being rejected :-(

[TR Shaw]

This is the mail system at host si01.clam.sourcefire.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to 

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

  The mail system

: Command time limit exceeded:
   "/usr/bin/procmail -a "$EXTENSION""
Reporting-MTA: dns; si01.clam.sourcefire.com
X-Postfix-Queue-ID: AFFB830014
X-Postfix-Sender: rfc822; ts...@oitc.com
Arrival-Date: Tue, 21 Jan 2014 08:55:35 -0500 (EST)
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] My malware submissions are bouncing. Help!

[TR Shaw]

Any ideas?

btw, Happy Thanksgiving!

This is the mail system at host si01.clam.sourcefire.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to 

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

  The mail system

: Command time limit exceeded:
   "/usr/bin/procmail -a "$EXTENSION""
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Freshclam updates failing

[TR Shaw]

On Jun 22, 2013, at 8:52 AM, Denis McMahon wrote:

> On 22/06/13 04:10, Dennis Peterson wrote:
>> On 6/21/13 5:45 AM, Denis McMahon wrote:
> 
>>> appear to suggest that my dns is fine (these are included in the log). I
>>> have another machine on the LAN which updates fine.
> 
>> What do you get if you run freshclam --list-mirrors ?
> 
> $ sudo freshclam --list-mirrors
> Can't read mirrors.dat
> $


Permissions?

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] looking for Bill Landry

[TR Shaw]

On Nov 25, 2012, at 10:19 PM, Paul Wise wrote:

> Hi all,
> 
> Bill Landry is the developer of clamav-unofficial-sigs and since I'm the
> Debian maintainer of that, I need to discuss some things with him but
> his domain inetmsg.com doesn't respond to HTTP or SMTP connections. Does
> anyone know what happened to him or if he moved to a different domain?
> 
> PS: whats the status of clamav support for third-party signatures?

Paul,

I see Steve responded to your question about Bill. I want to clarify your "PS" 
question.

Bill's script still works great.  You just need to keep up with 
http://sanesecurity.com/databases.htm and add/delete the unofficial databases 
you wish to use with clamav.

Tom



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] [Clamav-users] Specify a watch folder for clamav

[TR Shaw]

Linux, bsd unix and MacOSX all support directory/folder changed actions.

Tom

On Dec 6, 2012, at 1:26 PM, Jari Fredriksson wrote:

> 06.12.2012 19:44, franckm kirjoitti:
>> Is it possible to have clamd (clamav deamon) watch a specific folder (and
>> only that one) and automatically scan the files as they are dropped into it?
>> 
> I'm afraid it is not possible with clamd alone. You need a separate
> daemon watching the folder(s) and then call clamd. I am not aware of
> such daemons available.
> 
> -- 
> 
> Truth is the most valuable thing we have -- so let us economize it.
>   -- Mark Twain
> 
> 
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] SourceFire support - signature file updates

[TR Shaw]

On Nov 27, 2012, at 1:11 PM, Nigel Houghton wrote:

> 
> On Nov 27, 2012, at 12:32 PM, Dennis Peterson  wrote:
> 
>> Can we get a link to a SourceFire statement on the future of ClamAV? I just 
>> rolled it out to a very large enterprise and they won't be happy if this 
>> thing is going under or even looks like it is sputtering. The timing of this 
>> can't have been worse so getting out ahead of the rumors is in everyone's 
>> best interest.
> 
> 
> Statement? There is no statement to be made, we continue to deliver detection 
> content as we have always done. We continue to develop ClamAV as we have 
> always done.
> 
>  http://www.sourcefire.com/security-technologies/open-source/ClamAV
> 
> ...and from the acquisition, some 5+ years ago now.
> 
>  http://www.clamav.net/lang/en/faq/faq-sf/
> 
> Since then, we've added more developers, more signature writers and have 
> increased coverage. We're continuing to improve all the supporting 
> infrastructure for ClamAV and have invested a great deal of time and money 
> into it.
> 
> We've included ClamAV in our FireAMP product, and you can download and use 
> that for free also.
> 

Interesting as it does not appear on your website other than here:

http://www.sourcefire.com/security-technologies/advanced-malware-protection/fireamp

and it doesn't appear free as there is a link to buy it..

Just trying to clarify,

Tom


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] missed virus

[TR Shaw]

Hi

winnow.attachments.hdb
winnow_bad_cw.hdb
winnow_malware_links.ndb

Also work to stop these

On Nov 15, 2012, at 4:55 PM, Steve Basford wrote:

> 
>> OK, I'm stumped as to why clamav-milter did not catch this virus. It was
>> from this address, being masked as from UPS:
>> 
>> 
>> File: Invoices-14-2012.htm"
>> 
> Hi Jamen,
> 
> I've been seeing these java/htm combos over the last few days and been
> adding detection to phish.ndb.
> 
> The other bad stuff coming in should be detected with:
> 
> phish.ndb, rogue.hdb and blurl.ndb
> 
> OITC's sigs are also recommended.
> 
> More details here:
> http://www.sanesecurity.com/clamav/databases.htm
> 
> 
> Cheers,
> 
> Steve
> Sanesecurity
> 
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] PCI-DSS Compliance

[TR Shaw]

It meets NIST's requirements (NIST Special Publication 800-53 and associated) 
and is running on NIST approved and DCID 6/3 approved systems.

Tom

On Nov 8, 2012, at 10:17 AM, Royce Williams wrote:

> On Wed, Nov 7, 2012 at 4:01 PM, Kaushal Shriyan
>  wrote:
>> Is clamAV certified for PCI-DSS Compliance requirements?
> 
> I'm relatively new to PCI, but as far as I can tell, almost everything
> in Requirement 5 of PCI-DSS 2.0 is about how you implement, monitor
> and manage your antivirus -- not the antivirus itself.  So compliance
> would reside in the review of a specific program of antivirus use, not
> the software itself.  The software can meet the logging, periodic
> scanning, and detection capabilities required -- as long as you have a
> policy that clarifies, enforces and "auditably" verifies and controls
> its proper use.
> 
> 5.1.1 says:
> 
> For a sample of system components, verify that all anti-virus
> programs detect, remove, and protect against all known types of
> malicious software (for example, viruses, Trojans, worms,
> spyware, adware, and rootkits)
> 
> Since "all known types" varies over time, this would need to be
> periodically revalidated.  If a PCI auditor hadn't heard of ClamAV,
> and was skeptical about ClamAV's applicability, it would be handy to
> have a list of recent and tricky malware, with info on how quickly
> ClamAV teams got them into the signature list, might help clarify
> ClamAV's fitness to purpose.
> 
> Royce
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Bug 5543

[TR Shaw]

I don't mind if SourceFire decides they don't like my proposals or problem 
sets. But I do think it shows poor stewardship of clamav when on bugzilla and 
on mail lists there is not a peep of a response from SourceFire after 90 days. 
Either yea or nay. Its like they are ignoring bugzilla entries.  Look at an 
issue and respond with yes or no but don't ignore the issues.  Ignoring these 
issues is just putting your head in the sand.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Backchannel sample submittals.

[TR Shaw]

For years I have been feeding usdetected samples directly to Luca and the clam 
AV team. Ever since the handover of personnel my submittal bounce!  My 
submittal address was:

redac...@unfiltered.clamav.net

Any help would be appreciated.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Introducing the new ClamAV team

[TR Shaw]

On Jun 22, 2012, at 2:56 PM, Joel Esler wrote:

> Earlier this week we announced a new chapter for ClamAV with the departure of 
> Tomasz Kojm, Alberto Wu, Luca Gibelli and Edwin Török. While we are sad to 
> see them go, we are grateful for the contributions they have made and are 
> committed to carrying on the project with the community in mind.
> 
> As Tomasz mentioned in his own email, ClamAV just had its 10th birthday. Over 
> the years we've been able to integrate ClamAV into our own product suite and 
> it is now used by millions of mail filters, operating systems and millions of 
> file scans per day. It's big, and we want it to be even bigger, with open 
> source commitment at its core.
> 
> So, now that we've begun this new chapter, I’d like to introduce you to some 
> new members of the ClamAV team. These folks might be new to ClamAV, but they 
> have been with the Sourcefire Vulnerability Research Team (VRT) for quite 
> some time, and all have worked on other open source projects. Without further 
> ado, they are:
> 
> Matthew Olney is the project development lead for ClamAV and lead architect 
> for the Razorback framework. Pulling from his experience as a network and 
> security engineer, he’s also a detection specialist for Snort and a frequent 
> contributor of signatures to the ClamAV engine itself.
> 
> Ryan Pentney is the lead bytecode engine developer for ClamAV; a perfect 
> complement to his role as lead developer for file format detection for the 
> Razorback framework. He also is a contributor to both the Snort and ClamAV 
> engines.
> 
> Tom Judge has a strong background in systems and security operations. He is a 
> FreeBSD committer, a lead developer for the Razorback framework and a 
> long-time user of ClamAV. On the ClamAV development team, he concentrates on 
> FireAMP integration, virtual machine interfacing and freshclam development.
> 
> David Raynor is the core engine developer for ClamAV. He was a developer of a 
> major scalable security system for the United States Department of Homeland 
> Security before coming to Sourcefire.
> 
> Nigel Houghton has been with Sourcefire as the lead of the Department of 
> Intelligence Excellence for almost 10 years. Nigel has vast knowledge of 
> programming, operating systems, administration, and security. His team is 
> responsible for the ClamAV supporting infrastructure as well as releasing 
> signature updates.
> 
> As I mentioned, all of the above are members of the VRT, led by Matt 
> Watchinski, who has overseen the ClamAV project since Sourcefire acquired it 
> in 2007. We remain committed to continuing the open source nature of the 
> project, pushing the growth of the project even farther.
> 
> As always, you can reach us on the ClamAV Mailing lists found here: 
> http://www.clamav.net/lang/en/ml/. We look forward to hearing your ideas and 
> feedback. Thanks for using ClamAV and we look forward to working with you.
> 
> 

Joel,

Glad to have you and your team onboard. Looking forward to another great 10 
years.

Nigel (Nigel Houghton), can you ping me off list?

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] False positive suspicion - Fax Server Plus

[TR Shaw]

On May 8, 2012, at 5:30 AM, Fajar A. Nugraha wrote:

> On Tue, May 8, 2012 at 4:18 PM, Al Varnell  wrote:
>> On 5/8/12 1:42 AM, "Nicole Brown"  wrote:
>> 
>>> We got some reports from our customers said our website reported as Malware
>>> Site by Bitdefender.
>>> Here is the download links of all our products:
>>> http://faxserverplus.com/download/FSPQuick.EXE
>>> http://faxserverplus.com/download/faxserverplusevl.exe
>>> 
>> Why would you be asking clamav-users to check out something BitDefender
>> finds? Shouldn't you be contacting them?
> 
> To be fair, one of the files WAS recognized as malware by clamav :
> https://www.virustotal.com/file/bf5a62810d8ff28129d84c982e80e4a062d33fd1e082483dfc1f56033491f79d/analysis/1336239300/
> 
> So it probably qualifies as FP report. However, since PUA submissions
> are automatically rejected, I'm not sure what the best way to proceed.
> 
> The "our website reported as Malware" part should probably be ignored
> as it's not relevant to this list.

They should check BitDefender. If there is a setting to disable PUA checking, 
then it is a user issue as the user selected to detect PUAs. If there is not a 
selectable option then it should be a bug report to BitDefender. If used in a 
mailserver environment then PUA detects maybe be miss-weighted.

After all PUA is disable by default out of the box by ClamAV so someone else 
must have enabled it. 

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Virus information database?

[TR Shaw]

On May 7, 2012, at 8:35 PM, Pepijn Schmitz wrote:

> Hi Al,
> 
> On 07-05-12 20:44, Al Varnell wrote:
>>> And is there no place where I can find more information about the trojan
>>> ClamAV thinks it is detecting? Surely there is more information than a
>>> hex string, somewhere?
>> The only one that might know something about it is the member of the
>> signature team that published it (Alain Zidouemba) who probably isn't going
>> to remember what he did back on 19 April unless he took good notes:
> I must say the lack of transparency is bothering me a little. I'm used
> to antivirus programs giving me access to a detailed database with
> information about the threats they claim to detect, so I can make my own
> determination of how likely something is to be an actual threat and what
> it does and how dangerous it is, or whether it is just a theoretical
> threat, or a likely false positive.
>>> Submission-ID: 42631477
>>> Sender: Virus Total
>>> Sender: Anonymous
>>> Added: Trojan.Agent-281708
>> This says it originated at VirusTotal.
> It's also strange that Virus Total is saying that ClamAV (and only
> ClamAV) is claiming the file contains a trojan, and ClamAV says that
> Virus Total is the source for that information. This seems like a
> circular chain of evidence to me, which could prove anything, and
> therefore nothing.
> 
> And when I search for these names and strings, all I find are Virus
> Total reports, and lists of threats claimed to be detected by various
> products, but no actual information about the alleged trojans themselves
> (except that they're "highly dangerous"). It's all very mysterious, and
> it doesn't inspire confidence in me in the accuracy of these detections,
> I'm sorry to say, especially given my own current experience.
>> When I do a Google search for
>> "74da9128149f4e678783b4125095d396 +site:virustotal.com"
>> I get 6 hits, several of which show a VBA32 detection of
>> TrojanBanker.Qhost.aaji
> So I see. Thanks for the tip. In most of them the only other detection
> is once again by ClamAV though. It seems likely to me that those are all
> false positives too. They all seem to be installers or uninstallers,
> perhaps something about that is triggering ClamAV and VBA32. When I
> search for this "TrojanBanker.Qhost.aaji" trojan, once again I can find
> no concrete information about it whatsoever, so unfortunately it doesn't
> really help in identifying what it is that ClamAV thinks my program is
> infected with...

Pepijn

Not sure what your issue is.  First, virus names are not uniform.  You should 
not expect them to be.  As for you assertion that other AV's provide detailed 
info as to why they detected I would say to you that you are being naive.

As for your statement about circular reference. VT supplies every sample 
submitted to all AV vendors. Each vendor determines if they even wish to 
process a submittal.  In this case CalmAV did and, per Edwin's earlier 
response, a MD5 signature was generated around a piece of the executable 
sample.  So if you are concerned about your app which you seem to be, you can 
1) use sigtool to examine your app to see where you might further want to 
analyze to change, 2) submit a fp report to ClamAV, or 3) since the sig is an 
md5 recompile your app with some slight changes such as adding extra constants 
to change the md5 and you should be fine.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] False positive submission page down (for a few days now)?

[TR Shaw]

On Apr 19, 2012, at 8:24 AM, Ralf Hildebrandt wrote:

> * Török Edwin :
>> On 04/19/2012 02:59 PM, Ralf Hildebrandt wrote:
>>> Is there an alternative way of submitting FP's?
>>> 
>> 
>> Are you using this page?
>> http://www.clamav.net/lang/en/sendvirus/submit-fp/
> 
> Yep. 
> 

Works here in Safari and Chrome and Firefox.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Question on processing Jar files

[TR Shaw]

Does ClamAV teat .jar files in a similar fashion as to .zip's? eg. is the jar 
broken apart and then individual .class and other files get scanned as well?

Looking into options for whiting signatures for these.

TIA,

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Bytecode 34 failed to run

[TR Shaw]

ClamAV 0.97.4/14681/Wed Mar 21 12:47:18 2012

Bytecode 34 failed to run

Submitted to bugzilla as Bug 4629

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Bytecode runtime error

[TR Shaw]

$ clamdscan -V
ClamAV 0.97.3/14323/Wed Jan 18 09:09:29 2012


LibClamAV Warning: Bytecode runtime error at line 0, col 0
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytecode 36 failed to run: Error during bytecode execution
109544.cf.exe

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] 0.97.3 compile on OSX 10.6.8 with xcode 4.2

[TR Shaw]

Chuck,

Hmmm... From the developer site, 4.2 is available for snow and lion. I picked 
snow since I need to wait till gpg is working with Lion Mail before migrating 
my laptop. So I downloaded the snow version of 4.2.

On Oct 19, 2011, at 8:50 PM, Chuck Swiger wrote:

> On Oct 19, 2011, at 5:37 PM, TR Shaw wrote:
>> Ideas?
> 
> If you've got MacOS X 10.6.8, then you can't use Xcode 4.2-- that's for 10.7 
> or later:
> 
> 
> 
> ClamAV 0.7.3 appears to compile and pass all self-checks under 10.6.8 using 
> Xcode 4.0 (or 3.x also):
> 
> make  check-TESTS
> PASS: check_clamav
> PASS: check_freshclam.sh
> PASS: check_sigtool.sh
> SKIP: check_unit_vg.sh
> PASS: check1_clamscan.sh
> PASS: check2_clamd.sh
> PASS: check3_clamd.sh
> PASS: check4_clamd.sh
> SKIP: check5_clamd_vg.sh
> SKIP: check6_clamd_vg.sh
> SKIP: check7_clamd_hg.sh
> SKIP: check8_clamd_hg.sh
> SKIP: check9_clamscan_vg.sh
> ==
> All 7 tests passed
> (6 tests were not run)
> ==
> 
> This was compiled with:
> 
> % cc --version
> i686-apple-darwin10-llvm-gcc-4.2 (GCC) 4.2.1 (Based on Apple Inc. build 5658) 
> (LLVM build 2335.9)
> 
> Regards,
> -- 
> -Chuck
> 

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] 0.97.3 compile on OSX 10. 6.8 with xcode 4.2

[TR Shaw]

Works fine for 32bit intel

./configure --enable-llvm --enable-clamdtop --with-user=_clamav 
--with-group=_clamav

Under 0.97.2 it worked fine on 64 bit as well. Now it fails along with 

CFLAGS="-arch x86_64" CXXFLAGS="-arch x86_64" ./configure --enable-llvm 
--enable-clamdtop --with-user=_clamav --with-group=_clamav

or

CFLAGS="-arch i386" CXXFLAGS="-arch i386" ./configure --enable-llvm 
--enable-clamdtop --with-user=_clamav --with-group=_clamav

Ideas?



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Obfuscated IP address.

[TR Shaw]

On Sep 19, 2011, at 12:04 PM, Bowie Bailey wrote:

> On 9/19/2011 11:46 AM, Michael Orlitzky wrote:
>>> A hostname cannot be all digits and except when the IP is used there
>>> will be a TLD, so if you see a pattern such as
>>> 
>>> http:// 123456789/ cgi-bin/innocent_code.pl
>>> 
>>> (Ignore the spaces they are there to let this post slip by most antispam
>>> detection) then you can surmise it is an attempt at obfuscation.
>> I don't get it, what's the pattern we're looking for? An IP address is a
>> number. Any way you specify it is fine. 123456789 is no more obfuscated
>> than whatever it would be if you converted it to dotted quad. They both
>> represent the same number.
>> 
>> If you're trying to match a text pattern against an integer, you're
>> doing it wrong.
> 
> He is not trying to match the IP address.  He is trying to match an
> unusual way of presenting the IP address that seems to occur primarily
> in spam.
> 

Basically an IPv4 address can be anything that inet_addr() can handle. 

See 
http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/commtrf2/inet_addr.htm

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Virus not detected by Clamav

[TR Shaw]

On Jun 29, 2011, at 7:58 AM, polloxx wrote:

> On Wed, Jun 29, 2011 at 12:49 PM, Joel Esler  wrote:
>> If you have a sample of the file, submitting it through ClamAV's submission 
>> interface makes it "bubble up" so the rule writers can get to it faster.
>> 
>> (instead of waiting for it to come through Virustotal)
>> 
> 
> Joel,
> 
> 
> I did that yesertday.

If you are using winnow malware rules (part of sanesecurity's distrobution) you 
can also send a sample to virus_samples at oitc.com. We release temp sigs 
quickly until clamav folks provides a formal sig.


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Virus not detected by Clamav

[TR Shaw]

On Jun 29, 2011, at 6:04 AM, polloxx wrote:

> On Wed, Jun 29, 2011 at 11:45 AM, Henrik K  wrote:
>> On Wed, Jun 29, 2011 at 12:27:46PM +0300, Mihamina Rakotomandimby wrote:
 On Wed, 29 Jun 2011 11:24:24 +0200
 polloxx  wrote:
>>> 
 Are there other user with the same problem? Any solution?
>>> 
>>> I have the same problem.
>>> I manage a mail server used by a vendor of DHL.
>>> 
>>> Pretty annoying as far as all emails from DHL are sensible and
>>> important for the suers :-)
>>> 
>>> Unfortunately, I have found no solution... yet.
>> 
>> So your users receive lot of legimate exes?
>> 
> 
> It was a zip file.
> 
>> If you are expecting ClamAV to be a 0day magic tool without having lots of
>> other defences (spamassassin etc) and lots of custom rules, then yes, there
>> is no solution.
>> 
> 
> The virus was found Monday morning. According to Virus Total 31/41
> engines do detect it. Unfortunately Clamav did not.

winnow.malware and other portions of sanesecurity's distributed unofficial 
rules will probably detect those.

Tom


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Compiling ClamAV for PPC on an Intel Machine

[TR Shaw]

On Jun 2, 2011, at 7:10 PM, Al Varnell wrote:

> On 6/2/11 3:37 PM, "Russ Tyndall"  wrote:
> 
>> 
>> On Jun 2, 2011, at 2:31 PM, Al Varnell wrote:
>> 
>>> I'm sure I've seen answers to this question on ClamXav's forum
>>>  if you don't get an answer
>>> here.
>> 
>> Oh, yes, Mark very kindly tried to help me on the ClamAV forums earlier in 
>> the
>> year:
>> 
>> 
>> 
>> His instructions *seemed* to work (at least glancing through the output) but
>> the binaries that were created seemed to just only have intel code (no PPC).
>> 
>> When I did lipo -info on the binaries they came back:
>> 
>> Non-fat file: /usr/local/clamav/sbin/clamd is architecture: i386
>> 
>> His instructions (after installing a particular compiler) included these
>> steps:
>> 
>> CC="/usr/bin/gcc-4.2"
>> CXX="/usr/bin/g++-4.2"
>> CFLAGS="-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.4 -isysroot
>> /Developer/SDKs/MacOSX10.4u.sdk -arch ppc -arch i386"
>> CXXFLAGS="-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.4 -isysroot
>> /Developer/SDKs/MacOSX10.4u.sdk -arch ppc -arch i386"
>> 
>> ./configure --disable-dependency-tracking  --enable-llvm --enable-clamdtop
>> --with-user=_clamav --with-group=_clamav --enable-all-jit-targets
>> --prefix=/usr/local/clamav
>> 
>> I have wondered if "make" or "make install" needs some kind've flag(?)
>> 
> The only thing I can think of is the last update to XCode did not contain
> what was needed to compile for PPC, so if you have updated recently that
> portion needs to be added separately.  Again, Mark figured this out with his
> last update.  I've run into several software developers who thought they
> were producing Universal Binaries and were surprised by this.
> 
I have an old 10.4 machine and create them here. I might tell you that _clamav 
is not the correct user/group for 10.4 its clamav.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] FW: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001

[TR Shaw]

On Mar 29, 2011, at 1:06 PM, Al Varnell wrote:

> On 3/29/11 6:29 AM, "Russ Tyndall"  wrote:
> 
>> 
>> On Mar 27, 2011, at 2:31 AM, Al Varnell wrote:
>> 
>>> Some Mac users will recall that several months back we discussed the bzip2
>>> bug and I filed a bug report with Apple when it wasn't included in their
>>> previous updates back in November.  They acknowledged they were working on
>>> it and promised it would be out shortly.  Last Monday they posted updates to
>>> both Mac OS X 10.5.8 and 10.6.6 which purports to fix the bug (forwarded
>>> below).
>> 
>> For older machines (10.4) what is the best way to update bzip2?
>> 
> Mac OS X 10.4 probably has bigger security issues for you than bzip2 as
> there have been no updates since Sep 2009.
> 
>> Do I need to put MacPorts on every machine?  Or can updated bzip2 files be
>> manually installed? Obviously, I am going to have to go third-party.
>> 
> I can't think of any reason you couldn't just download and compile the
> source from  and install all the files for v1.0.6.  I
> don't really know what the OS uses bzip2 for, other than decompressing .bz2
> files that it runs across, but there could potentially be OS compatibility
> issues.  I'm aware of several folks who have been using v1.0.6 since it came
> out, at least one of whom is running 10.4 and have not reported having any
> issues.

Al,

The problem is that the make for dynamic libraries doesn't work out of the box 
so even if you compile the static version clam will link with the old dynamic 
lib.

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Improving Scan Speeds on OS X.4.11

[TR Shaw]

On Mar 16, 2011, at 1:31 PM, Russ Tyndall wrote:

> 
> On Mar 15, 2011, at 7:10 PM, TR Shaw wrote:
> 
>>> On Mar 15, 2011, at 4:48 PM, TR Shaw wrote:
>>> 
>>>> Look at your config file. You don't need to scan all more than probably 
>>>> 200KB of a file.
>>> 
>>> So you are suggesting I use the MaxScanSize directive to limit scans to the 
>>> first 200KB of each file?  (i.e., add a line to clamd.conf: MaxScanSize 
>>> 200KB).
>>> 
>>> I imagine that would speed things up nicely  :-)
>>> 
>> 
>> Yes. Pick a size you feel comfy with but I believe there are few signatures 
>> that span large file sizes.  You might want to override this once a week to 
>> check large zip/gz files but in general this should be good.  Let me know 
>> how it helps.
> 
> A full scan with default settings (MaxScanSize = 20MB) takes about 2 hours to 
> scan a particular directory.
> 
> A full scan with MaxScanSize = 1MB takes about 1 hour.
> 
> A full scan with MaxScanSize = 200K takes about 18 minutes.
> 
> ***
> 
> So I now have two tactics to minimize scan time: 1) Partially scan ALL files 
> 2) Fully scan a set of recently modified files.
> 
> Which is more likely?: That a partial scan (first 200K) misses a baddie? Or 
> that a baddie fakes a modification date?


You play craps??  LOL

Seriously, as for "faking" mod date... you don't have to fake it just 
uncompress a archive preserving creation and modification dates and viola.

There are plenty of other approaches (save filenames and mod dates in a DB and 
only scan additions or changes to it; etc.) but all have diminishing returns. 
After all there is a window between the time malware is stored and the time you 
detect it as well and no AV is perfect.

Just do the best you can do.  If you feel uncomfortable run full scans on 
weekends and reduced during the week.  

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Improving Scan Speeds on OS X.4.11

[TR Shaw]

On Mar 15, 2011, at 6:56 PM, Russ Tyndall wrote:

> 
> On Mar 15, 2011, at 4:48 PM, TR Shaw wrote:
> 
>> Look at your config file. You don't need to scan all more than probably 
>> 200KB of a file.
> 
> So you are suggesting I use the MaxScanSize directive to limit scans to the 
> first 200KB of each file?  (i.e., add a line to clamd.conf: MaxScanSize 
> 200KB).
> 
> I imagine that would speed things up nicely  :-)
> 

Yes. Pick a size you feel comfy with but I believe there are few signatures 
that span large file sizes.  You might want to override this once a week to 
check large zip/gz files but in general this should be good.  Let me know how 
it helps.

> 
>> If you're using google; don't. It will help for email but probably will not 
>> help finding badness on a file server. Likewise with unofficials. Not all 
>> unofficials are appropriate for your application.
> 
> Sorry, Tom, I don't have the knowledge to understand this.

If you haven't enabled this in your config or added other sigs then just ignore 
me here ;-)

> 
>> 
>> Lastly when you complied you clamd what compiler options did you pick?
> 
> I updated the bzip-related libraries and made sure I was using GCC 3.3.
> 
> LDFLAGS="-O3 -L/opt/local/lib"
> 
> ./configure --prefix=/usr/local --mandir=/usr/local/share/man 
> --sysconfdir=/private/etc/spam/clamav/new --enable-bigstack 
> --with-user=clamav --enable-static --with-group=clamav 
> --with-dbdir=/var/clamav --datadir=/var/clamav
> 
> Then, make and install.
> 

That's probably as good as you can do for now.  If you can get a 10.5 lics then 
do it as 10.5 fixes some low level process switch slowdowns that were in Tiger. 
 It isn't a panacea but it should help a bit also.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Improving Scan Speeds on OS X.4.11

[TR Shaw]

Russ,

Look at your config file. You don't need to scan all more than probably 200KB 
of a file. If you're using google; don't. It will help for email but probably 
will not help finding badness on a file server. Likewise with unofficials. Not 
all unofficials are appropriate for your application.

Lastly when you complied you clamd what compiler options did you pick?

Tom

On Mar 15, 2011, at 3:21 PM, Russ Tyndall wrote:

> Hello,
> 
> I'm running clamav 0.965 on a G5 (1 processor) with OS X Server 10.4.11. 
> Clamav runs as root. This machine is primarily used as a file server, with a 
> mixture of OS X and Windows clients.
> 
> A launchdaemon automatically kicks off an overnight scan by sending a command 
> to clamdscan.  Only directories that are used by the Windows machines are 
> scanned.
> 
> Because of the huge volume of data being scanned (70 Gb), the scan takes 
> about 6 hours to complete.
> 
> Is there a practical way to reduce the scan time?
> 
> Thanks.
> 
> -
> Russ Tyndall
> Wake Forest, NC
> 
> 
> 
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] SubmitDetectionStats: Can't connect to server

[TR Shaw]

This is new

Thu Mar 10 17:34:15 2011 -> nonblock_connect: connect timing out (30 secs)
Thu Mar 10 17:34:15 2011 -> Can't connect to port 80 of host stats.clamav.net 
(IP: 188.40.140.240)
Thu Mar 10 17:34:45 2011 -> nonblock_connect: connect timing out (30 secs)
Thu Mar 10 17:34:45 2011 -> Can't connect to port 80 of host stats.clamav.net 
(IP: 188.40.140.240)
Thu Mar 10 17:34:45 2011 -> ERROR: SubmitDetectionStats: Can't connect to server
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Can't compile 0.97 as 64-bit on Mac OS 10.5.8

[TR Shaw]

You have to set CXXFLAGS

CFLAGS="-arch x86_64" CXXFLAGS="-arch x86_64" ./configure --enable-llvm 
--enable-clamdtop --with-user=_clamav --with-group=_clamav

On Feb 12, 2011, at 9:16 AM, James Brown wrote:

> I have been compiling clamav all day with a great many combinations of 
> options.
> No matter what I try, it won't build in 64bit.
> 
> I used:
> 
> ./configure CFLAGS='-arch x86_64' --build=x86_64-apple-darwin9.8.0
> make
> sudo make install (after stopping clamd)
> 
> The configure output had:
> 
> === configuring in llvm 
> (/Users/jlbrown/Downloads/clamav-0.97/libclamav/c++/llvm)
> configure: running /bin/sh ./configure --disable-option-checking 
> '--prefix=/usr/local'  'CFLAGS=-arch x86_64' 
> '--build=x86_64-apple-darwin9.8.0' 'build_alias=x86_64-apple-darwin9.8.0' 
> '--enable-ltdl-convenience' '--enable-optimized' 
> 'llvm_cv_gnu_make_command=make' '--enable-targets=host-only' 
> '--enable-bindings=none' '--enable-libffi=no' '--without-llvmgcc' 
> '--without-llvmgxx' --cache-file=/dev/null --srcdir=.
> checking build system type... x86_64-apple-darwin9.8.0
> checking host system type... x86_64-apple-darwin9.8.0
> checking target system type... x86_64-apple-darwin9.8.0
> checking type of operating system we're going to host on... Darwin
> checking type of operating system we're going to target... Darwin
> checking target architecture... x86_64
> checking for gcc... gcc
> 
> so that looks good.
> 
> But the output of 'make' was full of lines like this:
> 
> ld warning: in .libs/libclamav.lax/libclamavcxx.a/ValueSymbolTable.o, file is 
> not of required architecture
> ld warning: in .libs/libclamav.lax/libclamavcxx.a/ValueTracking.o, file is 
> not of required architecture
> ld warning: in .libs/libclamav.lax/libclamavcxx.a/ValueTypes.o, file is not 
> of required architecture
> ld warning: in .libs/libclamav.lax/libclamavcxx.a/Verifier.o, file is not of 
> required architecture
> ld warning: in .libs/libclamav.lax/libclamavcxx.a/VirtRegMap.o, file is not 
> of required architecture
> 
> And the result is a 32-bit binary:
> 
> file /usr/local/sbin/clamd
> /usr/local/sbin/clamd: Mach-O executable i386
> 
> 
> I have tried CFLAGS, CXXFLAGS, LDFLAGS, CPPFLAGS and --build settings.
> everything I tried either failed or built i386.
> 
> Does anyone have any suggestions?
> 
> Thanks,
> 
> James.
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Sophos Anti-Virus

[TR Shaw]

On Jan 2, 2011, at 7:12 PM, Bob Traktman wrote:

> 
> Is there any reason not to keep ClamAv and Sophos Anti-Virus -- both active?


None whatsoever. Defense in depth is a good thing.

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] When to run freshclam? Was Re: Updating of clam stats has stopped

[TR Shaw]

On Dec 31, 2010, at 2:25 AM, Török Edwin wrote:

> Actually in 0.96.5 freshclam gets the stats directly from clamd, not the
> logs. If you restart clamd the stats are lost as they are not saved
> anywhere.


Oh so that means if you want to keep stats you need to run freshclam on 
shutdown or restart of clamav?

Also will kill -USR2 `cat $clamd_pid` lose stats?

Tom


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Updating of clam stats has stopped

[TR Shaw]

On Dec 30, 2010, at 4:56 PM, Jerry wrote:

> I recently noticed that my stats are not being updated online. The
> "Last detected IP: 0.0.0.0" is obviously incorrect. When I attempt to
> update manually, I receive this message:
> 
> *** Virus databases are not updated in this mode ***
> SubmitDetectionStats: Not enough recent data for submission
> 
> There have been hundreds of detections, so that is certainly not the
> problem. I shutdown clamd, etc and erased the clamd and freshclam log
> files and rebooted the system. Two days later it is still not recording
> any stats.
> 
> This use to work fine. It just suddenly seems to have stopped working in
> the past week or two. The output of:
> 
> clamd --version
> ClamAV 0.96.5/12457/Thu Dec 30 08:25:24 2010
> 
> From the clamd.log file:
> clamd daemon 0.96.5 (OS: freebsd8.2, ARCH: amd64, CPU: amd64)
> 
> I was thinking that it might be a firewall problem; however, that would
> not explain the "Not enough recent data" message.
> 
> -- 
> Jerry ✌
> clamav.u...@seibercom.net

Jerry

Don't know what your problem is but stats are accumulated and sent from 
freshclam by reading your logs , You might check your freshclam.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Upcoming release of ClamAV (0.96.5)

[TR Shaw]

OSX 10.6.5

Other than the normal bzip2 and .map warnings and a number of long int to off_t 
cast warnings and

detect.cpp: In function ‘void cli_detect_env_jit(cli_environment*)’:
detect.cpp:128: warning: enumeration value ‘Minix’ not handled in switch

Seemed to be fine:

make  check-TESTS
SKIP: check_clamav
PASS: check_freshclam.sh
PASS: check_sigtool.sh
SKIP: check_unit_vg.sh
PASS: check1_clamscan.sh
PASS: check2_clamd.sh
PASS: check3_clamd.sh
PASS: check4_clamd.sh
SKIP: check5_clamd_vg.sh
SKIP: check6_clamd_vg.sh
SKIP: check7_clamd_hg.sh
SKIP: check8_clamd_hg.sh
SKIP: check9_clamscan_vg.sh

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] Solved Re: OSX configure command

[TR Shaw]

On Nov 14, 2010, at 6:41 PM, Larry Stone wrote:

> On 11/14/10 1:44 PM, Spiro Harvey at sp...@knossos.net.nz wrote:
> 
>> This is where your trouble started. This is telling you it can't find
>> an appropriate C compiler (gcc).
>> 
>>> configure:3749: found /Developer/usr/bin/gcc
>>> configure:3760: result: gcc
>>> configure:3989: checking for C compiler version
>>> configure:3998: gcc --version >&5
>> 
>> It looks like it found one, but it isn't happy with it.
> 
> As I mentioned yesterday, it builds fine for me but my PATH is the default
> (or close to it) and does not include all the /Developer directories the OP
> has in his. It's just:
> /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin:/usr/local/bin
> All programs I've built from source build fine with that.
> 
> On my system, both /Developer/usr/bin/gcc and /usr/bin/gcc are softlinks to
> gcc-4.2.
> 
> 
>> It seems to have plodded along for a bit anyway until it got to..
>> 
>>> ld: library not found for -lcrt1.10.6.o
>> 
>> This is where it looks like it borked. You don't have version 1.10.6
>> of the crt lib. But it looks like it's not happy with GCC either.
> 
> On my system, I find crt1.10.6.o in /usr/lib but not in /Developer/usr/lib.
> 
> This is all with OS X 10.6.5 although I have not built anything since
> upgrading from 10.6.4.

Thanks to everyone.

The problem was that although Migration Assistant said it copied everything 
including /Developer it appears it missed some files and screwed up links when 
I migrated to a new machine.

Reinstalling xcode(for this) and others to repair some other weirdness solved 
the problem.

Thanks again to everyone who helped,

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] OSX configure command

[TR Shaw]

On Nov 13, 2010, at 7:46 PM, Larry Stone wrote:

> On 11/13/10 5:35 PM, TR Shaw at ts...@oitc.com wrote:
> 
>> I just got around to compiling 0.96.4 and no joy. My configure command no
>> longer is working properly. I have xcode install and my search path is
>> 
>> /Developer/usr/share:/Developer/usr/sbin:/Developer/usr/lib:/Developer/usr/bin
>> :/Library/Frameworks/GDAL.framework/Programs:/usr/bin:/bin:/usr/sbin:/sbin:/us
>> r/local/bin:/usr/X11/bin:/opt/local/bin:/usr/local/git/bin
>> 
>> Running on 10.6
>> 
>> Any help would be appreciated,
> 
> No problem for me. Did you ever think that the specific error message you
> are getting might just possibly be relevant and worth posting (sarcasm
> intended)? I doubt the path has anything to do with it (except maybe to
> break things) as I have not modified my path to include any of that junk you
> have and my compile worked just fine.
> 
> -- 
Well

Raven:clamav-0.96.4 tshaw$ ./configure
checking build system type... i386-apple-darwin10.5.0
checking host system type... i386-apple-darwin10.5.0
checking target system type... i386-apple-darwin10.5.0
creating target.h - canonical system defines
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... config/install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... no
checking for awk... awk
checking whether make sets $(MAKE)... yes
checking how to create a ustar tar archive... gnutar
checking for gawk... (cached) awk
checking whether ln -s works... yes
checking whether make sets $(MAKE)... (cached) yes
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... no
configure: error: in `/Users/tshaw/Sites/clamav/clamav-0.96.4':
configure: error: C compiler cannot create executables
See `config.log' for more details

config.log saysd:

configure:3733: checking for gcc
configure:3749: found /Developer/usr/bin/gcc
configure:3760: result: gcc
configure:3989: checking for C compiler version
configure:3998: gcc --version >&5
i686-apple-darwin10-gcc-4.2.1 (GCC) 4.2.1 (Apple Inc. build 5664)
Copyright (C) 2007 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

configure:4009: $? = 0
configure:3998: gcc -v >&5
Using built-in specs.
Target: i686-apple-darwin10
Configured with: /var/tmp/gcc/gcc-5664~105/src/configure --disable-checking 
--enable-werror --prefix=/usr --mandir=/share/man 
--enable-languages=c,objc,c++,obj-c++ 
--program-transform-name=/^[cg][^.-]*$/s/$/-4.2/ --with-slibdir=/usr/lib 
--build=i686-apple-darwin10 --program-prefix=i686-apple-darwin10- 
--host=x86_64-apple-darwin10 --target=i686-apple-darwin10 
--with-gxx-include-dir=/include/c++/4.2.1
Thread model: posix
gcc version 4.2.1 (Apple Inc. build 5664)
configure:4009: $? = 0
configure:3998: gcc -V >&5
gcc-4.2: argument to `-V' is missing
configure:4009: $? = 1
configure:3998: gcc -qversion >&5
i686-apple-darwin10-gcc-4.2.1: no input files
configure:4009: $? = 1
configure:4029: checking whether the C compiler works
configure:4051: gccconftest.c  >&5
ld: library not found for -lcrt1.10.6.o
collect2: ld returned 1 exit status
configure:4055: $? = 1
configure:4093: result: no



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] OSX configure command

[TR Shaw]

I just got around to compiling 0.96.4 and no joy. My configure command no 
longer is working properly. I have xcode install and my search path is

/Developer/usr/share:/Developer/usr/sbin:/Developer/usr/lib:/Developer/usr/bin:/Library/Frameworks/GDAL.framework/Programs:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin:/opt/local/bin:/usr/local/git/bin

Running on 10.6

Any help would be appreciated,

Thx,

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] PS Re: OSX Boonana Trojan

[TR Shaw]

PS Its not just OSX It exploits a flaw in java so linux, unix, and windoz are 
all infect-able.

On Oct 30, 2010, at 3:36 AM, Al Varnell wrote:

> Above named Trojan or worm, depending on your prospective, was found in the
> wild last week, rated critical by at least one commercial vendor.  I have it
> on good authority that a signature was prepared, tested and submitted about
> 36 hours ago.  By my count there have been at least four updates published
> containing 13 new signatures, but no sign of this one.  Any idea what the
> holdup is?
> 
> 
> -Al-
> 
> -- 
> Al Varnell
> Mountain View, CA
> 
> 
> 
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] OSX Boonana Trojan

[TR Shaw]

I have detection for it in winnow malware unofficial and samples have been 
forwarded to Luca..

Tom

On Oct 30, 2010, at 3:36 AM, Al Varnell wrote:

> Above named Trojan or worm, depending on your prospective, was found in the
> wild last week, rated critical by at least one commercial vendor.  I have it
> on good authority that a signature was prepared, tested and submitted about
> 36 hours ago.  By my count there have been at least four updates published
> containing 13 new signatures, but no sign of this one.  Any idea what the
> holdup is?
> 
> 
> -Al-
> 
> -- 
> Al Varnell
> Mountain View, CA
> 
> 
> 
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] safe_clamd

[TR Shaw]

On Oct 14, 2010, at 7:05 AM, Luca Gibelli wrote:

> Hello,
> 
> starting from the 0.96.2 release, our source tarball includes a script to 
> automatically restart clamd in case the daemon crashes.
> 
> The script is currently placed in the contrib/ directory. Latest version
> is always available from:
> 
> http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=contrib/safe_clamd/safe_clamd
> 
> We would like to make this script the preferred version to start clamd, 
> just like other OSS projects do (e.g. asterisk, mysql).
> 
> Before we do, we would like to receive more feedback on this script.
> 
> If you haven't tried it yet, we kindly ask you that you give it a try
> and report any problems through our bugzilla.
> 
> Thanks,


Luca,

I configure my launchd plist for OSX to both start clamd and to keep it running 
if it crashes. I will say that although I have tested it by manually killing 
clamd I haven't notice clamd crashing here.

Given this builtin capability in OSX I would not be for having this script 
incorporated as a default for OSX.

Just my 2 cents,

Tom

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] PS Re: Unable to install ClamAV 96.3.

[TR Shaw]

There is a patch for bsd (also required for Apple) for PDFs and there is a 
bogus link warning about ,map files which you can ignore.

Tom

On Oct 1, 2010, at 1:10 AM, Al Varnell wrote:

> On Sep 30, 2010, at 9:05 PM, Dennis Peterson  wrote:
> 
>> On 9/30/10 8:57 PM, Syed Zubair wrote:
>>> This is what I get when I try to install ClamAV 96.3: Help
>> 
>>> configure: Summary of engine detection features
>>>  autoit_ea06 : yes
>>>  bzip2   : bugged (CVE-2010-0405)
>>>  zlib: /usr
>>>  unrar   : yes
>>> configure: WARNING:
>>> ** WARNING:
>>> ** You are cross compiling to a different host or you are
>>> ** linking to bugged system libraries or you have manually
>>> ** disabled important configure checks.
>>> ** Please be aware that this build may be badly broken.
>>> ** DO NOT REPORT BUGS BASED ON THIS BUILD !!!
>>> 
>>> -bash-2.05b$
>>> 
>>> 
>> 
>> Apple released an upgrade to bzip2 a few days ago - did you install it?
>> 
>> 
> I don't think so.  I just checked the user and developer support downloads 
> and there's no sign of it.  It has been available from third party porting 
> publishers, but nothing heard from Apple.  Do you have a reference?
> 
> 
> 
> Sent from my iPad
> 
> -Al-
> -- 
> Al Varnell
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Unable to install ClamAV 96.3.

[TR Shaw]

Al

Just compile bzip2 from the source. Thats what I did and everything was fine.

Tom

On Oct 1, 2010, at 1:10 AM, Al Varnell wrote:

> On Sep 30, 2010, at 9:05 PM, Dennis Peterson  wrote:
> 
>> On 9/30/10 8:57 PM, Syed Zubair wrote:
>>> This is what I get when I try to install ClamAV 96.3: Help
>> 
>>> configure: Summary of engine detection features
>>>  autoit_ea06 : yes
>>>  bzip2   : bugged (CVE-2010-0405)
>>>  zlib: /usr
>>>  unrar   : yes
>>> configure: WARNING:
>>> ** WARNING:
>>> ** You are cross compiling to a different host or you are
>>> ** linking to bugged system libraries or you have manually
>>> ** disabled important configure checks.
>>> ** Please be aware that this build may be badly broken.
>>> ** DO NOT REPORT BUGS BASED ON THIS BUILD !!!
>>> 
>>> -bash-2.05b$
>>> 
>>> 
>> 
>> Apple released an upgrade to bzip2 a few days ago - did you install it?
>> 
>> 
> I don't think so.  I just checked the user and developer support downloads 
> and there's no sign of it.  It has been available from third party porting 
> publishers, but nothing heard from Apple.  Do you have a reference?
> 
> 
> 
> Sent from my iPad
> 
> -Al-
> -- 
> Al Varnell
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] block attachment with certain file endings (also in archives)

[TR Shaw]

On Sep 27, 2010, at 10:36 PM, Florian Friesdorf wrote:

> Hi,
> 
> I host several mailing list with plenty of users having gmail accounts.
> 
> gmail blocks attachments with certain file endings (also if the files
> are in certain archives):
> 
> http://mail.google.com/support/bin/answer.py?answer=6590
> 
> I am using clamav-milter with postfix. Is it possible to implement this
> policy through custom clamav signatures? From the signatures pdf I was
> not able to figure it out so far.
> 
> Would you suggest another approach?

This is where a content filter such as SpamAssassin, ASSP, etc is most 
appropriate. That said you can write a mime part header signature to do this up 
to a point.

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Tracking false positives

[TR Shaw]

On Sep 27, 2010, at 4:24 PM, Alex wrote:

> Hi,
> 
>> In addition, there a brilliant Third-Party signature decoder here, which
>> will easily show you the content of the Third-Party signature,
>> just cut/paste or type in the signature name and it'll decode it:
>> 
>> http://www.sanesecurity.com/clamav/decodesigs.htm
> 
> Some time ago I was trying to decode a third-party signature, and this
> above link was helpful. It seems I'm having difficulty with another
> one, however. I tried the link above, and it doesn't seem to decode
> it. I also came across a reference to doing this from the command
> line, and receive an error using this method too:
> 
> # sigtool -fwinnow.malware.47853 | sigtool --decode-sigs
> ERROR: decodesig: Invalid or not supported signature format
> TOKENS COUNT: 3
> 
> Isn't that the proper way to do this? Just running sigtool returns:
> 
> # e42724a855ce18d0890c15f2805769db:15872:winnow.malware.47853


Alex, That's just a file sig eg MD5 file size, sig name.


If you believe its a FP please send an email to me explaining why 

However you should view:

http://www.virustotal.com/file-scan/report.html?id=9ef6116b0e3e1f663e48b76dc2957d97187f7414be0024b721569d67d378ff56-1285602198

btw, I now see basic clam detects it also so it will be removed on the next 
signature verification run.

Tom


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] SubmitDetectionStats: Incorrect format of the log file

[TR Shaw]

Having issues:

/usr/local/bin/clamscan --official-db-only --infected --detect-broken 
--move=/Usersx/virus_archive /Usersx/malware/
LibClamAV Error: cli_pdf: mmap() failed (2)

Have no idea what this means.  Should I sumbit a bug report?

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] What ever happened to the Release Candidate for 0.96.3??

[TR Shaw]

Wendy,

Download the source from bzip, open the make file and insert

CFLAGS=-Os -arch i386 -arch x86_64 $(BIGFILES)
or
CFLAGS=-Os -arch ppc $(BIGFILES)

depending on which processor you need and then

sudo make install

Tom

On Sep 22, 2010, at 11:59 AM, Wendy J Bossons wrote:

> I am running clamav on my dev laptop which is Snow Leopard, running FreeBSD. 
> The bzip2 warning if I don't have to worry about it -- that's fine. But if I 
> wanted to fix the issue, I don't think it's obvious how to go about it. I 
> would rather ran the software without the warning -- warnings are there to 
> put up flags to the developer. I am not doing my job if I ignore it, nor if I 
> have to jump through all kinds of hoops otherwise -- it's a time burner.
> 
> 
> Wendy Bossons
> Web Developer
> MIT Libraries
> Technology Research & Development
> Building E25-131
> 77 Massachusetts Ave.
> Cambridge, MA 02141-4307
> Phone 617-253-0770
> Fax 617-253-4462
> wboss...@mit.edu
> http://libraries.mit.edu
> 
> 
> On Sep 22, 2010, at 11:48 AM, Tomasz Kojm wrote:
> 
> On Wed, 22 Sep 2010 10:14:57 -0500 George Kasica
> mailto:george_kas...@mgic.com>> wrote:
> 
> Tomaz:
> 
> Typical issues as in the past...first no clue it was coming out(no
> release candidate no announcement)...it just appeared, no idea it would
> have issues with bzip2,
> 
> 0.96.3 is a security release, which fixes an integer overflow in the
> bzip2 library (we use a modified version of this lib in the NSIS
> unpacker). It also detects whether or not your local libbz2 (which we
> use to handle .bz2 files) is affected by this problem and prints a
> warning if needed.
> 
> and STILL no fix to bzip2 RPMs for the Fedora Core 13 platform
> 
> Well, we have no control over those RPMs..
> 
> (we had to compile from a tar.gz for the others) except
> RHEL4/5 that have RPMs out (AFTER 0.96.3 released),
> 
> So you did the right job. Your bzip2 lib can no longer be exploited.
> 
> the ULIMIT issue
> that I still don't fully grasp here and am still not clear if its
> something we need to deal withthings seem to run so for now we
> haven't gone in and touched it(again, this wasn't an issue in 0.96.2 why
> is it an issue in 0.96.3 which appears to be a minor release 0.0.1)
> 
> This issue was recently described on the ml. The warning can be safely
> ignored on Linux.
> 
> In our environment we have certain time-frames where we need to apply
> code once its released depending on what and why it was put out so we
> don't always have the luxury to let it sit for days...getting code that
> is not labeled as RC and is supposedly prod quality and ready to go and
> having these issues is not good...we've spend a good portion of the week
> on this so far and seem to be finally OK, but it could have been much
> smoother (again)brings me back to the point of why are we running
> these 4 test harness boxes for Torok if no-one is looking at what is
> coming back from them.
> 
> Thanks for your support. The 0.96.3 was tested on your boxes and
> confirmed to work fine before we released it. Since the tests are fully
> automated, we missed the ULIMIT warning issue but as I wrote above, it
> can just be ignored.
> 
> Cheers,
> 
> --
>  oo. Tomasz Kojm mailto:tk...@clamav.net>>
> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
>\..._ 0DCA5A08407D5288279DB43454822DC8985A444B
>  //\   /\  Wed Sep 22 17:38:15 CEST 2010
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
> 
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] What ever happened to the Release Candidate for 0.96.3??

[TR Shaw]

Wendy

Download the bzip2 security release and compile.  I have to go back to my 
office to check what compile settings are necessary as the dedault make file is 
nor good enough.

Tom

On Sep 22, 2010, at 11:59 AM, Wendy J Bossons wrote:

> I am running clamav on my dev laptop which is Snow Leopard, running FreeBSD. 
> The bzip2 warning if I don't have to worry about it -- that's fine. But if I 
> wanted to fix the issue, I don't think it's obvious how to go about it. I 
> would rather ran the software without the warning -- warnings are there to 
> put up flags to the developer. I am not doing my job if I ignore it, nor if I 
> have to jump through all kinds of hoops otherwise -- it's a time burner.
> 
> 
> Wendy Bossons
> Web Developer
> MIT Libraries
> Technology Research & Development
> Building E25-131
> 77 Massachusetts Ave.
> Cambridge, MA 02141-4307
> Phone 617-253-0770
> Fax 617-253-4462
> wboss...@mit.edu
> http://libraries.mit.edu
> 
> 
> On Sep 22, 2010, at 11:48 AM, Tomasz Kojm wrote:
> 
> On Wed, 22 Sep 2010 10:14:57 -0500 George Kasica
> mailto:george_kas...@mgic.com>> wrote:
> 
> Tomaz:
> 
> Typical issues as in the past...first no clue it was coming out(no
> release candidate no announcement)...it just appeared, no idea it would
> have issues with bzip2,
> 
> 0.96.3 is a security release, which fixes an integer overflow in the
> bzip2 library (we use a modified version of this lib in the NSIS
> unpacker). It also detects whether or not your local libbz2 (which we
> use to handle .bz2 files) is affected by this problem and prints a
> warning if needed.
> 
> and STILL no fix to bzip2 RPMs for the Fedora Core 13 platform
> 
> Well, we have no control over those RPMs..
> 
> (we had to compile from a tar.gz for the others) except
> RHEL4/5 that have RPMs out (AFTER 0.96.3 released),
> 
> So you did the right job. Your bzip2 lib can no longer be exploited.
> 
> the ULIMIT issue
> that I still don't fully grasp here and am still not clear if its
> something we need to deal withthings seem to run so for now we
> haven't gone in and touched it(again, this wasn't an issue in 0.96.2 why
> is it an issue in 0.96.3 which appears to be a minor release 0.0.1)
> 
> This issue was recently described on the ml. The warning can be safely
> ignored on Linux.
> 
> In our environment we have certain time-frames where we need to apply
> code once its released depending on what and why it was put out so we
> don't always have the luxury to let it sit for days...getting code that
> is not labeled as RC and is supposedly prod quality and ready to go and
> having these issues is not good...we've spend a good portion of the week
> on this so far and seem to be finally OK, but it could have been much
> smoother (again)brings me back to the point of why are we running
> these 4 test harness boxes for Torok if no-one is looking at what is
> coming back from them.
> 
> Thanks for your support. The 0.96.3 was tested on your boxes and
> confirmed to work fine before we released it. Since the tests are fully
> automated, we missed the ULIMIT warning issue but as I wrote above, it
> can just be ignored.
> 
> Cheers,
> 
> --
>  oo. Tomasz Kojm mailto:tk...@clamav.net>>
> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
>\..._ 0DCA5A08407D5288279DB43454822DC8985A444B
>  //\   /\  Wed Sep 22 17:38:15 CEST 2010
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
> 
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Tracking false positives

[TR Shaw]

On Sep 14, 2010, at 7:00 AM, Alex wrote:

> Hi,
> 
>> In addition, there a brilliant Third-Party signature decoder here, which
>> will easily show you the content of the Third-Party signature,
>> just cut/paste or type in the signature name and it'll decode it:
>> 
>> http://www.sanesecurity.com/clamav/decodesigs.htm
> 
> Great info, thanks.
> 
> Turns out that it matches underconstruction.networksolutions.com. Is
> it possible to make these signatures score a few points instead of
> being a poison pill, and killing the email entirely?

Most of us weight the results in our mailserver/proxies/miltners and score the 
weights in SA/ASSP/etc

However, the signature was the IP 205.178.189.13 and not the host name. That IP 
hosts a lont more than a reverse DNS would lead you to believe.  When it was 
listed contained a zeus bot and was infected also with a iframe attack hosted 
on that IP. See 
http://malware.im/network-solutions-and-wordpress-security-flaw/  Given the 
above I am not sure I would deweight the signatures.  In fact, I have to wonder 
what kind of email would contain that IP in a url. Youu do whitelist accounts 
that discuss viruses/malware/etc don't you?  


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Tracking false positives

[TR Shaw]

On Sep 13, 2010, at 1:58 PM, Alex wrote:

> Hi,
> 
>>> winnow.botnets.zu.zeus.4637.UNOFFICIAL, according to the logs. How can
> 
>> That signature is not is our active database. When did you last update your 
>> files?  zeus urls and IP come and go as machines are infected and cleaned so 
>> you must keep  your rules current.
> 
> # ls -l winnow_malware_links.ndb
> -rw-r--r--  1 vscan vscan 489480 Sep 12 19:47 winnow_malware_links.ndb
> 
> The user also reported this on an email that was received on the 9th, I 
> believe.
> 
> I'm also wondering how a domain name, which is what triggered this
> rule, is found within this hash:
> 
> # sigtool -fwinnow.botnets.zu.zeus.4637
> winnow.botnets.zu.zeus.4637:3:*:(2e|2f|40|20|3c)3230352e3137382e3138392e313239(27|22|20|2f|3d|3e|0a|0d)
> 

Wasn't a domain name but and IP


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Tracking false positives

[TR Shaw]

On Sep 13, 2010, at 12:48 PM, Alex wrote:

> Hi,
> 
> We had a user report that their email was tagged with
> winnow.botnets.zu.zeus.4637.UNOFFICIAL, according to the logs. How can
> I track this, and determine which database it was that contains this
> pattern, and why it considered this email to contain this virus?
> 
> I can run the email through clamscan with the latest updates and it
> still finds the zeus virus.
> 
> I'd like to submit this to someone to reduce this false positive, but
> I really can't for privacy reasons. Is there something else I can do
> to help?

Alex,

That signature is not is our active database. When did you last update your 
files?  zeus urls and IP come and go as machines are infected and cleaned so 
you must keep  your rules current.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Phishing detection on downloaded pages

[TR Shaw]

On Dec 10, 2009, at 6:24 AM, Török Edwin  wrote:


On 2009-12-10 13:06, Sundara Kaku wrote:

Thanks for the reply,



However if all you want is detect phishing, the heuristic phishing
detection won't work with webpages, it is designed for phishing mails
(which are different than the phishing websites themselves).
The only detection you can gain are the Email.Phishing.*.RB  
signatures,

and the safebrowsing DB (which you can query by other means).




Edwin

You also can gain from html unofficial sigs

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml