Re: [clamav-users] About PDF files detected as encrypted files

[Tsutomu Oyamada]

Hi,

Thank you for your reply.
I understood very well.
It was useful to me.

Regards,
T.O

On Wed, 11 Oct 2023 15:40:37 +0300
Maxim Britov via clamav-users  wrote:

> On 10.10.2023 13:32, Tsutomu Oyamada wrote:
> > Hi, all
> >
> > We received following report from one of our users.
> > The user is uisng Clamd0.103 on AIX7,2.
> >
> > When clamd with the option "ArchiveBlockEncrypted" ON scans a specifc PDF 
> > which is locked for editing, it is detected as "Heuristics.Encrypted.PDF 
> > FOUND".
> 
> https://github.com/Cisco-Talos/clamav/issues/770
> 
> $ pdf-parser.py -o 40 214-230137_01_006.pdf
> 
> obj 40 0
>   Type:
>   Referencing:
> 
><<
>  /EncryptMetadata true
>  /P -1852
>  /U
><<
>  /StdCF
><<
>  /Type /CryptFilter
>  /Length 16
>  /AuthEvent /DocOpen
>  /CFM /AESV2
>>>
>>>
>  /Length 128
>  /V 4
>  /Filter /Standard
>>>
> 
> 
> > The PDF is locked for editing, but not locked for viewing.
> > The PDF file can be found at the following URL.
> > https://www.promark-inc.com/dl/temp/214-230137_01_006.pdf
> >
> > It looks like the same behavior when clamd scans a PDF which is locked for 
> > viewing.
> > The log is as follows;
> >
> > Fri Sep 29 14:35:33 2023 -> /home/user/214-230137_01_006.pdf:
> > Heuristics.Encrypted.PDF(52d94f1cc9d57e3b350c4cec85c68387:222005) FOUND
> >
> > We could reproduce the behavior on our test environment, clamd daemon 1.0.2 
> > (OS: Linux, ARCH: x86_64, CPU: x86_64).
> >
> > Could you tell us how to fix it to scan that PDF properly?
> >
> > T.O
> >
> > ___
> >
> > Manage your clamav-users mailing list subscription / unsubscribe:
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/Cisco-Talos/clamav-documentation
> >
> > https://docs.clamav.net/#mailing-lists-and-chat
> 
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] About PDF files detected as encrypted files

[Tsutomu Oyamada]

Hi, all

We received following report from one of our users.
The user is uisng Clamd0.103 on AIX7,2.

When clamd with the option "ArchiveBlockEncrypted" ON scans a specifc PDF which 
is locked for editing, it is detected as "Heuristics.Encrypted.PDF FOUND".
The PDF is locked for editing, but not locked for viewing.
The PDF file can be found at the following URL.
https://www.promark-inc.com/dl/temp/214-230137_01_006.pdf

It looks like the same behavior when clamd scans a PDF which is locked for 
viewing.
The log is as follows;

Fri Sep 29 14:35:33 2023 -> /home/user/214-230137_01_006.pdf:
Heuristics.Encrypted.PDF(52d94f1cc9d57e3b350c4cec85c68387:222005) FOUND

We could reproduce the behavior on our test environment, clamd daemon 1.0.2 
(OS: Linux, ARCH: x86_64, CPU: x86_64).

Could you tell us how to fix it to scan that PDF properly?

T.O

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] about ”Can't allocate memory ERROR”

[Tsutomu Oyamada]

Hi,

I also tried it with ClamAV 0.104.2.
I got an error as well.

# clamscan /home/cecuser/lwiservice.exe
Loading:20s, ETA:   0s [>]8.65M/8.65M sigs
Compiling:   5s, ETA:   0s [>]   41/41 tasks

calloc_problem: Not enough space
LibClamAV Error: cli_calloc(): Can't allocate memory (66256128 bytes).
calloc_problem: Not enough space
LibClamAV Error: cli_calloc(): Can't allocate memory (66256128 bytes).
LibClamAV Error: cli_ac_init: Can't allocate memory for 
data->lsigsuboff_(last|first)[0]
/home/cecuser/lwiservice.exe: Can't allocate memory ERROR

--- SCAN SUMMARY ---
Known viruses: 8652920
Engine version: 0.104.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Total errors: 1
Data scanned: 0.00 MB
Data read: 0.15 MB (ratio 0.00:1)
Time: 27.111 sec (0 m 27 s)
Start Date: 2023:02:16 07:35:28
End Date:   2023:02:16 07:35:55
# freshclam -V
ClamAV 0.104.2/26814/Thu Feb 16 03:40:04 2023

After all, isn't something wrong?

On Thu, 9 Feb 2023 15:06:16 + (GMT)
Andrew C Aitchison via clamav-users  wrote:

> 
> On Thu, 9 Feb 2023, Tsutomu Oyamada wrote:
> 
> > Hi, Andy.
> >
> > Thanks for your reply.
> >
> > I am aware that version 0.103.4 is still supported by LTS.
> 
> 0.103.4 came out in Nov 2021.
> The current supported versions include 0.103.7 from July 2022.
> 
> > Also, my system is AIX. Does that have an effect?
> > I would like to try it with the latest version.
> 
> > From 0.104 onwards ClamAV uses Rust.
> Rust on AIX appears to be a work in progress:
> https://github.com/rust-lang/compiler-team/issues/553
> 
> -- Andrew C. Aitchison  Kendal, UK
> and...@aitchison.me.uk
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] about ”Can't allocate memory ERROR”

[Tsutomu Oyamada]

Hi, Andy.

Thanks for your reply.

I am aware that version 0.103.4 is still supported by LTS.
Some of the scan logs for this time are shown below.

[2023-01-12 19:03:11.015] Thu Jan 12 10:23:19 2023 - /esa/bin/lwiservice.exe: 
Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:23:19 2023 - 
/esa/bin/lwiserviceicon.exe: Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:23:19 2023 - 
/esa/bin/lwiserviceiconremove.exe: Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:23:50 2023 - 
/esa/runtime/core/eclipse/features/com.ibm.lwi.application.feature_8.1.0.3-LWI/installHandler.jar:
 Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:25:26 2023 - 
/esa/runtime/core/eclipse/plugins/com.ibm.rcp.base_6.2.1.20091117-1800/win32/x86/eclipse_1114.dll:
 Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:26:22 2023 - 
/esa/runtime/core/eclipse/plugins/org.eclipse.core.filesystem.win32.x86_1.1.0.v20080604-1400.jar:
 Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:26:23 2023 - 
/esa/runtime/core/eclipse/plugins/org.eclipse.core.resources.win32.x86_3.4.0.v20071204.jar:
 Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:26:34 2023 - 
/esa/runtime/core/eclipse/plugins/org.eclipse.equinox.security.win32.x86_1.0.0.v20080529-1600/jnicrypt.dll:
 Can't allocate memory ERROR
[2023-01-12 19:03:11.031] Thu Jan 12 10:26:46 2023 - 
/esa/runtime/core/eclipse/plugins/org.eclipse.update.core.win32_3.2.100.v20080107.jar:
 Can't allocate memory ERROR
[2023-01-12 19:03:11.031] Thu Jan 12 10:33:08 2023 - 
/opt/IBM/ibm-java-ppc64-60/docs/launchpad/ScriptLauncher.exe: Can't allocate 
memory ERROR
[2023-01-12 19:03:11.031] Thu Jan 12 10:33:13 2023 - 
/opt/IBM/ibm-java-ppc64-60/docs/launchpad.exe: Can't allocate memory ERROR

Nearly 150 other files are in the same state.

Also, my system is AIX. Does that have an effect?
I would like to try it with the latest version.

Thanks,
T.O

On Wed, 1 Feb 2023 21:11:01 +
"Andy Ragusa \(aragusa\) via clamav-users"  
wrote:

> Hi,
> 
> That version is pretty old, have you tried using version 1.0?
> 
> When I opened that zip file, I am only seeing the following (no log files)
> 
> com.ibm.websphere.LIBERTY.shared_013_all.all_x_8.5.5003.201407301652.zip
> lwiservice.exe
> NativeFile.dll
> org.eclipse.core.filesystem.win32.x86_1.1.0.v20070510.jar
> 
> Thanks,
> Andy
> 
> ________
> From: clamav-users  on behalf of 
> Tsutomu Oyamada 
> Sent: Wednesday, February 1, 2023 8:36 AM
> To: ClamAV users ML 
> Subject: [clamav-users] about ”Can't allocate memory ERROR”
> 
> Hi all,
> 
> We use the services of clamd to scan files.
> The version of clamd is 0.103.4.
> 
> After scanning some files, it will be "Can't allocate memory ERROR". However, 
> with 24GB of memory on the system, there is no possibility of running out of 
> memory. I have tried it on several systems, but I think there may be a 
> problem with clamd because of the same result.
> 
> I put the error file at the following URL.
> https://www.uinet.or.jp/~oyamada/error_files.zip
> 
> Please tell me how to deal with it other than adding memory.
> 
> Best regards
> T.O
> 
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] about ”Can't allocate memory ERROR”

[Tsutomu Oyamada]

Hi all,

We use the services of clamd to scan files.
The version of clamd is 0.103.4.

After scanning some files, it will be "Can't allocate memory ERROR". However, 
with 24GB of memory on the system, there is no possibility of running out of 
memory. I have tried it on several systems, but I think there may be a problem 
with clamd because of the same result.

I put the error file at the following URL.
https://www.uinet.or.jp/~oyamada/error_files.zip

Please tell me how to deal with it other than adding memory.

Best regards
T.O

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] About scanning files larger than 2 GB in size

[Tsutomu Oyamada]

Thank you for the information.
I understand that files larger than 2GB will be treated as clean files without 
the "AlertExceedsMax yes" setting.
I want to wait for the day when I can properly scan files larger than 2GB.

T.O

On Thu, 26 Jan 2023 22:27:12 +
"Micah Snyder \(micasnyd\) via clamav-users"  
wrote:

> > Tsutomu Oyamada asked what actually happens when a large file is
> > scanned, not why the limit is there.
> 
> The default behavior is to treat the file as clean if any of the scan limits 
> are exceeded (scan time, scan size, file size, etc).
> 
> If you want an alert if the limits are exceeded, then you can use the 
> following options:
> For ClamD, set "AlertExceedsMax yes" in the "clamd.conf" file.
> For ClamScan, use the "--alert-exceeds-max" option on the command line.
> 
> This will cause clamav to report one of the following signatures when the 
> limits are exceeded:
>   - Heuristics.Limits.Exceeded.MaxFileSize
>   - Heuristics.Limits.Exceeded.MaxScanSize
>   - Heuristics.Limits.Exceeded.MaxFiles
>   - Heuristics.Limits.Exceeded.MaxRecursion
>   - Heuristics.Limits.Exceeded.MaxScanTime
>   - Heuristics.Limits.Exceeded.EmailLineFoldcnt
>   - Heuristics.Limits.Exceeded.EmailHeaderBytes
>   - Heuristics.Limits.Exceeded.EmailHeaders
>   - Heuristics.Limits.Exceeded.EmailMIMEPartsPerMessage
>   - Heuristics.Limits.Exceeded.EmailMIMEArguments
> and possibly more with the "Heuristics.Limits.Exceeded." prefix.
> 
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> 
> 
> From: Andrew C Aitchison 
> Sent: Wednesday, January 25, 2023 10:59 PM
> To: Micah Snyder (micasnyd) via clamav-users 
> Cc: Micah Snyder (micasnyd) 
> Subject: Re: [clamav-users] About scanning files larger than 2 GB in size
> 
> On Thu, 26 Jan 2023, Micah Snyder (micasnyd) via clamav-users wrote:
> 
> > Paul is sort-of correct but the 2GB limit isn't artificial as he has 
> > implied.
> 
> Paul did not answer the original poster's question.
> Tsutomu Oyamada asked what actually happens when a large file is
> scanned, not why the limit is there.
> 
> > On Sun, 22 Jan 2023 05:40:18 +0900
> > Tsutomu Oyamada  wrote:
> >
> >> How do I set up clamd?
> >> Setting MaxFileSize to "0" is unlimited, but internally files
> >> larger than 2GB in size cannot be scanned.  In this case, do you
> >> treat the file as clean without scanning it at all?
> 
> > ClamAV code contains a lot of signed and unsigned 32bit variables
> > that must be upgraded to 64bit variables to support larger files.
> > Before raising the limit, a tedious audit process must be completed
> > to ensure that all variables are upgraded in all modules.  We cannot
> > simply remove the limit and cross our fingers.
> 
> A static analyzer such as cppcheck, PVS-Studio or the ones built into
> gcc and clang may be useful tools in the tedious audit.
> 
> --
> Andrew C. Aitchison  Kendal, UK
> and...@aitchison.me.uk


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] About scanning files larger than 2 GB in size

[Tsutomu Oyamada]

How do I set up clamd?
Setting MaxFileSize to "0" is unlimited, but internally files larger than 2GB 
in size cannot be scanned. 
In this case, do you treat the file as clean without scanning it at all?

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] PDF scan

[Tsutomu Oyamada]

Hi, all.

I hava a question about ClamAV 0.104.2 on IBM AIX7.3 system.
It takes time to scan PDF files by clamdscan.
it takes about 8 seconds to scan PDF file(total 645 page).
(sample file is here: https://www.uinet.or.jp/LPBB0010-10.pdf)

# /opt/freeware/sbin/clamd -V
ClamAV 0.104.2/26663/Mon Sep 19 03:56:35 2022
# clamdscan /home/test/LPBB0010-10.pdf
/home/test/LPBB0010-10.pdf: OK

--- SCAN SUMMARY ---
Infected files: 0
Time: 8.503 sec (0 m 8 s)
Start Date: 2022:09:19 08:38:50
End Date:   2022:09:19 08:38:58
# cat /opt/freeware/etc/clamav/clamd.conf |egrep -v '^$|^#'
LocalSocket /tmp/clamd.socket
LocalSocketMode 660
User root
AlertBrokenExecutables yes
AlertBrokenMedia yes
AlertEncrypted yes
AlertEncryptedArchive yes
AlertEncryptedDoc yes

I think it takes too long to scan PDF files.
Could you tell me how to shorten the time?


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] clamav error

[Tsutomu Oyamada]

Hi all,

It's also talked about in this thread
CVD version 26199 causes the following error in ClamAV version 0.99.2:

Can't open file or directory ERROR

We have identified the signature of the problem in CVD version 26199.

Win.Loader.Boxter-9870959-0

If you ignore this signature, you can scan without errors.
If possible, exclude this signature or modify it.

Please help us.

Best regards
T.O

On Thu, 17 Jun 2021 09:41:38 -0400
Michael Orlitzky via clamav-users  wrote:

> On 2021-06-17 09:00:09, Jigar via clamav-users wrote:
> > Hello,
> > 
> > Suddenly, we are getting the following error in clamd.log file
> > 
> > Thu Jun 17 08:52:49 2021 ->
> > /var/amavis/tmp/amavis-20210617T083549-04876-63FaXGZk/parts/p001:
> > Can't create new file ERROR
> > Thu Jun 17 08:52:49 2021 ->
> > /var/amavis/tmp/amavis-20210617T083549-04876-63FaXGZk/parts/p002:
> > Can't open file or directory ERROR
> > 
> > We have checked up all the permission and ownership. There is no change in 
> > it.
> > 
> 
> If you are (or can be) using a local socket to communicate with clamd,
> then I would suggest changing the way that amavisd invokes the virus
> scanner in amavisd.conf:
> 
>   # Use clamdscan with the --fdpass option so that the "clamav" user
>   # doesn't need to be able to read amavis's private working
>   # directory.
>   @av_scanners = (
> ['ClamAV-clamdscan', 'clamdscan', "--fdpass --stdout --no-summary {}",
>   [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
>   );
> 
> This is now the way that amavisd recommends, and assumes that your
> clamd socket is writable by the amavis user.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamd scan problem

[Tsutomu Oyamada]

Hi, Mark

Thank you for your reply.

The RAM size of my system is 4GB.

I think it's not a system spec issue, it's a CVD issue.
This is because an event occurred in the CVD update.

Regards
T.Oyamada

On Sat, 31 Oct 2020 14:10:29 +
Mark Fortescue via clamav-users  wrote:

> How much memory is available on your AIX system ?
> 
> Recommendations vary but I think the general rule will be you need 4GBytes or 
> more for any server that has to do more than just run Clamd. Anything less 
> that 2GBytes is going to be very slow or fail.



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] about clamd boot sequence on Linux system.

[Tsutomu Oyamada]

Hi,

Thank you for your reply.
I'm sorry for the slow reply.

I understood that there were two processes when clamd was started. In
addition, since the DB load time of clamd varies depending on the amount
of memory installed in the system, the existence time of the two
processes varies depending on the system.

If the clamd process is using an official CVD file, it will require 2GB
or more of the system's memory.

Thank you so much.

Betregard,
T.O.

On Mon, 20 Apr 2020 14:21:00 +0100 (BST)
"G.W. Haywood via clamav-users"  wrote:

> Hi there,
> 
> On Mon, 20 Apr 2020, Tsutomu Oyamada wrote:
> 
> > There are two processes temporarily at clamd startup, is this a 
> > specification?
> 
> If I understand your English, yes.  There will be two processes (or
> threads) running every time the database is being reloaded.  Each will
> use about the same maximum amount of memory, although one will exit
> after the reload is completed and its memory will then be released.
> 
> Please be aware of the distinction between a database update (which is
> performed by freshclam) and a database reload (which is performed by
> clamd itself).  A reload may take place immediately after an update if
> freshclam signals clamd to reload it; if freshclam does not do so, and
> that is configurable, it will take place when clamd next notices that
> the database has changed (usually when it is next called upon to scan
> something).
> 
> Please also be aware that if you run 'clamscan' then it will load its
> own copy of the databases too, but 'clamdscan' will not - it will use
> the clamd daemon to do the scanning.
> 
> > Is this going to be three or more?
> 
> Not normally, but you are at liberty to run more than one clamd
> process (if you configure them correctly) and I frequently do that.
> In such a case you are expected to know exactly what you are doing,
> and why you are doing it, and to have enough memory.
> 
> > On my system, after booting, it is in a state of following a few seconds.
> >
> > ps -aux
> > root  75687  100 44.2 944120 899844 ?   RN   00:00   0:27 
> > /usr/lib/clamav/clamd --config-file=/etc/clamav/clamd.conf
> > root  75856  0.0 44.0 1017852 895532 ?  SNsl 00:00   0:00 
> > /usr/lib/clamav/clamd --config-file=/etc/clamav/clamd.conf
> 
> The command which you gave above did not produce the output which you
> claim was produced.  It would be more helpful to give a command such as
> 
> ps -aux | grep clam
> 
> So that we can see exactly what is happening.
> 
> > This was not the case on systems with a lot of memory.
> 
> You have not said how much memory is present on the system!  But for a
> system running clamd you should normally expect to need more than two
> GBytes because during a database update clamd will have two copies of
> the databases loaded (and just a single copy of the official databases
> uses about one GByte of RAM) - and of course the rest of the system
> needs memory too.  You _can_ get away with using swap, but it will
> slow things down dramatically.  Even if it does not need to use swap,
> for just the official databases, depending on the performance of your
> systems you can expect a database reload to take anywhere between some
> seconds and some minutes.  In addition to the 'official' databases
> from Cisco/Talos I will typically use 30 - 40 'unofficial' databases;
> most of them aim to recognize spam rather than malware, but there is a
> lot of overlap.
> 
> -- 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] about clamd boot sequence on Linux system.

[Tsutomu Oyamada]

Hi, all.

Let me know about the clamd process boot sequence on Linux.
There are two processes temporarily at clamd startup, is this a specification? 
Is this going to be three or more?
On my system, after booting, it is in a state of following a few seconds.

ps -aux
root  75687  100 44.2 944120 899844 ?   RN   00:00   0:27 
/usr/lib/clamav/clamd --config-file=/etc/clamav/clamd.conf
root  75856  0.0 44.0 1017852 895532 ?  SNsl 00:00   0:00 
/usr/lib/clamav/clamd --config-file=/etc/clamav/clamd.conf

This was not the case on systems with a lot of memory.

Best regards,
T.O



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] About ClamAV 0.101.3 builds on AIX6.1

[Tsutomu Oyamada]

Hi Micah,

I'm sorry for the slow response.
It was another issue on AIX6.1, but your advice was helpful in AIX7.1.
I was able to build correctly in my environment.

Thank you so much.

Regards,
Tsutomu Oyamada

On Tue, 13 Aug 2019 16:14:48 +
"Micah Snyder \(micasnyd\) via clamav-users"  
wrote:

> Hi Tsutomu,
> 
> It looks like you are seeing a similar issue to what these folks had when 
> building libtool on Solaris:
> https://forums.gentoo.org/viewtopic-t-1080858-start-0.html
> 
> Here the user solved it by changing the NM environment variable: 
> https://lists.gnu.org/archive/html/libtool/2012-11/msg00014.html
> 
> Ex:
> NM=/usr/xpg4/bin/nm\ \-p
> export NM
> 
> For Solaris 10 in the past, we've found that if you're not using the OpenCSW 
> tools you need to use gnm (gnu's nm utility).  The same is probably true for 
> AIX.  
> Please install gnm and give this a try (I've made the assumption that it'll 
> install to /usr/local.  Of course adjust the path as needed. I'm not sure if 
> the "-p" argument is required:
> 
> ./configure NM=/usr/local/bin/gnm AR="/usr/bin/ar -X64" LDFLAGS="-maix64 
> -Wl,-bbigtoc -lbsd -lclamav" CFLAGS="-maix64" CXXFLAGS="-maix64" 
> LDFLAGS="-maix64 -Wl,-bbigtoc -lbsd" --prefix=/usr/lib/clamav 
> --exec-prefix=/usr/lib/clamav --bindir=/usr/lib/clamav 
> --sbindir=/usr/lib/clamav --sysconfdir=/etc/clamav --libdir=/usr/lib/clamav 
> --datarootdir=/usr/lib/clamav --with-dbdir=/usr/lib/clamav --disable-clamav 
> --enable-shared --disable-static --disable-zlib-vcheck --with-pcre 
> --with-openssl=/opt/freeware --enable-strni
> 
> Regards,
> Micah 
> 
> ?On 8/12/19, 10:04 PM, "clamav-users on behalf of Tsutomu Oyamada" 
>  
> wrote:
> 
> Hi, all
> 
> I am trying to build ClamAV 0.101.3 on AIX6.1.
> I did the following procedure, but it fails to make.
> What can I do?
> Excuse me in a long sentence below.
> 
> 1. Download clamav-0.101.3.tar.gz package.
> 2. Extract package.
> 3. Execute configure
> 
> AR="/usr/bin/ar -X64" LDFLAGS="-maix64 -Wl,-bbigtoc -lbsd -lclamav"
> ./configure CFLAGS="-maix64" CXXFLAGS="-maix64" LD
> FLAGS="-maix64 -Wl,-bbigtoc -lbsd" --prefix=/usr/lib/clamav 
> --exec-prefix=/usr/lib/clamav --bindir=/usr/lib/clamav --sbindir=/us
> r/lib/clamav --sysconfdir=/etc/clamav --libdir=/usr/lib/clamav 
> --datarootdir=/usr/lib/clamav --with-dbdir=/usr/lib/clamav --disa
> ble-clamav --enable-shared --disable-static --disable-zlib-vcheck 
> --with-pcre --with-openssl=/opt/freeware --enable-strni
> 
> checking for g++... g++
> checking whether the C++ compiler works... yes
> checking for C++ compiler default output file name... a.out
> checking for suffix of executables...
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C++ compiler... yes
> checking whether g++ accepts -g... yes
> checking build system type... powerpc-ibm-aix6.1.0.0
> checking host system type... powerpc-ibm-aix6.1.0.0
> checking target system type... powerpc-ibm-aix6.1.0.0
> creating target.h - canonical system defines
> checking for a BSD-compatible install... config/install-sh -c
> checking whether build environment is sane... yes
> checking for a thread-safe mkdir -p... config/install-sh -c -d
> checking for gawk... no
> checking for mawk... no
> checking for nawk... nawk
> checking whether make sets $(MAKE)... yes
> checking for style of include used by make... GNU
> checking whether make supports nested variables... yes
> checking whether UID '0' is supported by ustar format... yes
> checking whether GID '0' is supported by ustar format... yes
> checking how to create a ustar tar archive... gnutar
> checking dependency style of g++... gcc3
> checking whether make supports nested variables... (cached) yes
> checking for gcc... gcc
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking whether gcc understands -c and -o together... yes
> checking dependency style of gcc... gcc3
> checking the archiver (/usr/bin/ar -X64) interface... ar
> checking how to run the C preprocessor... gcc -E
> checking for grep that handles long lines and -e... /usr/bin/grep
> checking for egrep... /usr/bin/grep -E
> checking for ANSI C header files... yes
> checking for sys/types.h... y

[clamav-users] About ClamAV 0.101.3 builds on AIX6.1

[Tsutomu Oyamada]

Hi, all

I am trying to build ClamAV 0.101.3 on AIX6.1.
I did the following procedure, but it fails to make.
What can I do?
Excuse me in a long sentence below.

1. Download clamav-0.101.3.tar.gz package.
2. Extract package.
3. Execute configure

AR="/usr/bin/ar -X64" LDFLAGS="-maix64 -Wl,-bbigtoc -lbsd -lclamav"
./configure CFLAGS="-maix64" CXXFLAGS="-maix64" LD
FLAGS="-maix64 -Wl,-bbigtoc -lbsd" --prefix=/usr/lib/clamav 
--exec-prefix=/usr/lib/clamav --bindir=/usr/lib/clamav --sbindir=/us
r/lib/clamav --sysconfdir=/etc/clamav --libdir=/usr/lib/clamav 
--datarootdir=/usr/lib/clamav --with-dbdir=/usr/lib/clamav --disa
ble-clamav --enable-shared --disable-static --disable-zlib-vcheck --with-pcre 
--with-openssl=/opt/freeware --enable-strni

checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking build system type... powerpc-ibm-aix6.1.0.0
checking host system type... powerpc-ibm-aix6.1.0.0
checking target system type... powerpc-ibm-aix6.1.0.0
creating target.h - canonical system defines
checking for a BSD-compatible install... config/install-sh -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... config/install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets $(MAKE)... yes
checking for style of include used by make... GNU
checking whether make supports nested variables... yes
checking whether UID '0' is supported by ustar format... yes
checking whether GID '0' is supported by ustar format... yes
checking how to create a ustar tar archive... gnutar
checking dependency style of g++... gcc3
checking whether make supports nested variables... (cached) yes
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking the archiver (/usr/bin/ar -X64) interface... ar
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking how to print strings... print -r
checking for a sed that does not truncate output... /usr/bin/sed
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... no
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 786432
checking how to convert powerpc-ibm-aix6.1.0.0 file names to 
powerpc-ibm-aix6.1.0.0 format... func_convert_file_noop
checking how to convert powerpc-ibm-aix6.1.0.0 file names to toolchain 
format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... no
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... print -r --
checking for archiver @FILE support... no
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... failed
checking for sysroot... no
checking for a working dd... /usr/bin/dd
checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking for dlfcn.h... yes
checking which variant of shared library versioning to provide... aix
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld) supports shared libraries... yes
checking dynamic linker characteristics... AIX lib.a(lib.so.V)
checking how to hardcode library paths into programs... immediate
checking for shl_load... no
checking for shl_load in -ldld... no
checking for dlopen... yes

Re: [clamav-users] Scan very slow

[Tsutomu Oyamada]

Hi Micah

It seems that the  scanning slow down issue of this time has been solved
at some level with CVD Update of the other day.
However, there is still big discrepancy in between the current condition and
the last condition in one month ago.

DateFiles   Scan time
2019/02/15  2550338 08:53:57
2019/03/15  2612792 19:22:54
2019/03/26  2634489 18:13:56
2019/03/27  2637201 18:10:05

We know the improvement of this time is due to the details of CVD, because
we did not make any change on the user's system.
We are going to try some tuning for scanning.

We like to know if you still have some room to make further improvement
for this slow down issue.
Thank you for your help, in advance.

Best regards,
Oya

On Mon, 25 Mar 2019 15:45:02 +
"Micah Snyder \(micasnyd\) via clamav-users"  
wrote:

> Hi Mark, all:
> 
> I’m disappointed to hear that it is still slow for you.
> 
> We found that the target-type of signatures used for PhishTank.Phishing 
> signatures were causing a significant slowdown.   We have dropped them as of 
> this past Saturday ( https://lists.gt.net/clamav/virusdb/75279 ) and in the 
> last two updates have been re-adding them with more specific scan target 
> types.  We’re now investigating some other optimizations we can make for the 
> next major ClamAV release to improve scan times but at present we don’t have 
> any other leads for signatures that may be slowing down scans.
> 
> Regards,
> Micah
> 
> 
> From: clamav-users  on behalf of Mark 
> Allan via clamav-users 
> Reply-To: ClamAV users ML 
> Date: Monday, March 25, 2019 at 9:37 AM
> To: ClamAV users ML 
> Cc: Mark Allan 
> Subject: Re: [clamav-users] Scan very slow
> 
> Cheers Steve,
> 
> In the interest of completeness, here's the scan from today (TXT from DNS: 
> 0.101.1:58:25399:1553509741:1:63:48528:328) showing a marked improvement in 
> scan time, although at 6m 7s it's still almost twice what it used to be.
> 
> Mark
> 
> On Mon, 25 Mar 2019 at 12:56, Steve Basford 
> mailto:steveb_cla...@sanesecurity.com>> wrote:
> On 2019-03-25 10:52, Mark Allan via clamav-users wrote:
> > Hi all,
> >
> te.
> >
> > Hopefully this helps someone to narrow things down a bit.
> >
> > Mark
> >
> 
> 18/3/19 10m 49s TXT from DNS:
> 0.101.1:58:25392:1552904941:1:63:48507:328  ***
> 
> Here's the changes for the above update:
> 
> https://lists.gt.net/clamav/virusdb/75154
> 
> You can also check sigs quickly per update:
> 
> https://lists.gt.net/clamav/virusdb/
> 
> 
> 
> --
> Cheers,
> 
> Steve
> Twitter: @sanesecurity
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about the clamdscan

[Tsutomu Oyamada]

Thank you so much.
Your advice was very helpful.
I would also like to wait for a message from the developer.

On Thu, 15 Mar 2018 23:13:09 -0700
Al Varnell <alvarn...@mac.com> wrote:

> I believe the developers are hard at work planning for the future this week, 
> so they can probably can give you better answers than I later on.
> 
> I suspect some of this may be platform specific, so my answers are based on 
> my macOS experience.
> 
> clamd scans every file that clamdscan tells it to, so something else needs to 
> keep track of what's new or changed and notify clamdscan to tell clamd to 
> scan them. So that requires tapping into the file system to determine changes 
> in the area of interest.
> 
> I've never had an issue with using a file while it's being processed by 
> ClamAV, but scans normally take place very rapidly, so I my not have noticed 
> it being locked.
> 
> Sent from my iPad
> 
> -Al-
> 
> > On Mar 15, 2018, at 1:12 AM, Tsutomu Oyamada <oyam...@promark-inc.com> 
> > wrote:
> > 
> > I have two question about the clamdscan;
> > 
> > 1) Does the clamd skip scanning the files which are scanned before?
> > I want to know if the clamd remember which files are scanned, and skip them 
> > when the scan is performed again.
> > 
> > 2) Is there any case that a file is locked by the clamd  (user cannot use 
> > that file) during that is scanned?
> > 
> > T.O
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Question about the clamdscan

[Tsutomu Oyamada]

Hi, all.

I have two question about the clamdscan;

1) Does the clamd skip scanning the files which are scanned before?
I want to know if the clamd remember which files are scanned, and skip them 
when the scan is performed again.

2) Is there any case that a file is locked by the clamd  (user cannot use that 
file) during that is scanned?

T.O

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] update mirror trouble?

[Tsutomu Oyamada]

Hi,

It looks like that Updating of CVD in database.clamav.net is not working
(stopping).
Do you have any trouble problem happened?

We are in Japan, and it set CNAME for database.clamav.net as
db.jp.clamav.net.
db.jp.clamav.net has 4 IP addresses and those are working in roundrobin.
Every sites are working, but CVD version stops at 24010 as follows.

db.jp.clamav.net.   39  IN  A   218.44.253.75
db.jp.clamav.net.   39  IN  A   203.178.137.175
db.jp.clamav.net.   39  IN  A   27.96.54.66
db.jp.clamav.net.   39  IN  A   124.35.85.83


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

[Tsutomu Oyamada]

Thank you Joel.


On Wed, 25 Oct 2017 13:05:42 +
"Joel Esler (jesler)" <jes...@cisco.com> wrote:

> This has been dropped as well.
> 
> --
> Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>
> 
> 
> 
> 
> 
> 
> On Oct 24, 2017, at 5:11 AM, Tsutomu Oyamada 
> <oyam...@promark-inc.com<mailto:oyam...@promark-inc.com>> wrote:
> 
> Yes,
> I have submit the file many times.
> 
> File name: omni.ja
> SHA256: 5e852b33f716fb6b81bc75d762372a105f04dcdab07a621eddb8507970dbd0b6
> 
> On Mon, 23 Oct 2017 23:48:26 -0700
> Al Varnell <alvarn...@mac.com<mailto:alvarn...@mac.com>> wrote:
> 
> Did you submit a sample of it as a false positive report? If so please reply 
> with a hash value for the file you submitted.
> 
> Sent from my iPhone
> 
> -Al-
> --
> Al Varnell
> Mountain View, CA
> 
> On Oct 23, 2017, at 9:50 PM, Tsutomu Oyamada 
> <oyam...@promark-inc.com<mailto:oyam...@promark-inc.com>> wrote:
> 
> Hi, Joel.
> 
> Thank you.
> The issue of false positive for Html.Exploit.CVE_2017_8750-6336209-0 has been 
> solved,
> but the issue of Html.Exploit.CVE_2017_8757-6336185-0 has not been solved yet.
> 
> Could you Drop this signature as well ?
> 
> 
> On Fri, 20 Oct 2017 14:47:24 +
> "Joel Esler (jesler)" <jes...@cisco.com<mailto:jes...@cisco.com>> wrote:
> 
> All ?
> 
> This signature has been dropped.
> 
> --
> Joel Esler | Talos: Manager | 
> jes...@cisco.com<mailto:jes...@cisco.com><mailto:jes...@cisco.com>
> 
> 
> 
> 
> 
> 
> On Oct 20, 2017, at 8:30 AM, Gene Heskett 
> <ghesk...@shentel.net<mailto:ghesk...@shentel.net><mailto:ghesk...@shentel.net>>
>  wrote:
> 
> On Friday 20 October 2017 02:06:38 Al Varnell wrote:
> 
> I assume we are all still talking about
> Html.Exploit.CVE_2017_8750-6336209-0?
> 
> Gene, I believe your report was an omni.ja files infected with
> Html.Exploit.CVE_2017_8757-6336185-0.
> 
> Since it was the same file, I suppose I missed that the CVE had changed.
> Anyway, its the above number I've been looking at every morning for a
> couple weeks. I figured my previous msg was sufficient. My bad.
> 
> They have both been dealt with locally by ClamXAV, but I've not seen
> either listed as dropped by ClamAV yet.
> 
> Different versions of Firefox on different platforms.
> 
> -Al-
> 
> On Thu, Oct 19, 2017 at 10:24 PM, Gene Heskett wrote:
> On Friday 20 October 2017 00:24:20 Tsutomu Oyamada wrote:
> Hi,
> 
> The false positive for omni.ja is still ocurring.
> I have been reported this many times, but it has not fixed yet.
> 
> I have been troubled with this issue.
> What am I supposed to do?
> 
> I too have reported this, but nothing is being done.
> 
> On Sat, 23 Sep 2017 09:53:30 -0400
> 
> Gene Heskett 
> <ghesk...@shentel.net<mailto:ghesk...@shentel.net><mailto:ghesk...@shentel.net>
>  <mailto:ghesk...@shentel.net>>
> wrote:
> On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
> note correction in subject file location
> 
> So here are the facts with regard to
> Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
> previously reported in this thread). It was just added to the
> database about fifteen hours ago in daily - 23863 and is looking
> for two strings which you can observer by using the following
> (I'm not posting it here so this e-mail won't be detected as
> infected):
> 
> sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool
> --decode-sigs
> 
> CVE-2017-8750 is described as
> <https://nvd.nist.gov/vuln/detail/CVE-2017-8750
> <https://nvd.nist.gov/vuln/detail/CVE-2017-8750>>: "Internet
> Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1,
> Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and
> Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511,
> 1607, 1703, and Windows Server 2016 allow an attacker to execute
> arbitrary code in the context of the current user due to the way
> that Microsoft browsers access objects in memory, aka "Microsoft
> Browser Memory Corruption Vulnerability"."
> 
> so it's not a threat to your platform unless you are also running
> Windows somehow.
> 
> I've a bounty on windows here, nuke on encounter.
> 
> My power just came back so I scanned my Firefox 55.0.3 for Mac
> and it tested clean. Taking a look at the omni.ja file I see 109
> occurrences of the first string, but not the second.
> 
> So at this point I'll just repeat my advise from before to submit
> that file to <http://www.clamav.net/reports/fp

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

[Tsutomu Oyamada]

Yes, 
I have submit the file many times.

File name: omni.ja
SHA256: 5e852b33f716fb6b81bc75d762372a105f04dcdab07a621eddb8507970dbd0b6

On Mon, 23 Oct 2017 23:48:26 -0700
Al Varnell <alvarn...@mac.com> wrote:

> Did you submit a sample of it as a false positive report? If so please reply 
> with a hash value for the file you submitted. 
> 
> Sent from my iPhone
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
> 
> > On Oct 23, 2017, at 9:50 PM, Tsutomu Oyamada <oyam...@promark-inc.com> 
> > wrote:
> > 
> > Hi, Joel.
> > 
> > Thank you.
> > The issue of false positive for Html.Exploit.CVE_2017_8750-6336209-0 has 
> > been solved,
> > but the issue of Html.Exploit.CVE_2017_8757-6336185-0 has not been solved 
> > yet.
> > 
> > Could you Drop this signature as well ?
> > 
> > 
> > On Fri, 20 Oct 2017 14:47:24 +
> > "Joel Esler (jesler)" <jes...@cisco.com> wrote:
> > 
> >> All ?
> >> 
> >> This signature has been dropped.
> >> 
> >> --
> >> Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>
> >> 
> >> 
> >> 
> >> 
> >> 
> >> 
> >> On Oct 20, 2017, at 8:30 AM, Gene Heskett 
> >> <ghesk...@shentel.net<mailto:ghesk...@shentel.net>> wrote:
> >> 
> >> On Friday 20 October 2017 02:06:38 Al Varnell wrote:
> >> 
> >> I assume we are all still talking about
> >> Html.Exploit.CVE_2017_8750-6336209-0?
> >> 
> >> Gene, I believe your report was an omni.ja files infected with
> >> Html.Exploit.CVE_2017_8757-6336185-0.
> >> 
> >> Since it was the same file, I suppose I missed that the CVE had changed.
> >> Anyway, its the above number I've been looking at every morning for a
> >> couple weeks. I figured my previous msg was sufficient. My bad.
> >> 
> >> They have both been dealt with locally by ClamXAV, but I've not seen
> >> either listed as dropped by ClamAV yet.
> >> 
> >> Different versions of Firefox on different platforms.
> >> 
> >> -Al-
> >> 
> >> On Thu, Oct 19, 2017 at 10:24 PM, Gene Heskett wrote:
> >> On Friday 20 October 2017 00:24:20 Tsutomu Oyamada wrote:
> >> Hi,
> >> 
> >> The false positive for omni.ja is still ocurring.
> >> I have been reported this many times, but it has not fixed yet.
> >> 
> >> I have been troubled with this issue.
> >> What am I supposed to do?
> >> 
> >> I too have reported this, but nothing is being done.
> >> 
> >> On Sat, 23 Sep 2017 09:53:30 -0400
> >> 
> >> Gene Heskett <ghesk...@shentel.net<mailto:ghesk...@shentel.net> 
> >> <mailto:ghesk...@shentel.net>>
> >> wrote:
> >> On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
> >> note correction in subject file location
> >> 
> >> So here are the facts with regard to
> >> Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
> >> previously reported in this thread). It was just added to the
> >> database about fifteen hours ago in daily - 23863 and is looking
> >> for two strings which you can observer by using the following
> >> (I'm not posting it here so this e-mail won't be detected as
> >> infected):
> >> 
> >> sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool
> >> --decode-sigs
> >> 
> >> CVE-2017-8750 is described as
> >> <https://nvd.nist.gov/vuln/detail/CVE-2017-8750
> >> <https://nvd.nist.gov/vuln/detail/CVE-2017-8750>>: "Internet
> >> Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1,
> >> Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and
> >> Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511,
> >> 1607, 1703, and Windows Server 2016 allow an attacker to execute
> >> arbitrary code in the context of the current user due to the way
> >> that Microsoft browsers access objects in memory, aka "Microsoft
> >> Browser Memory Corruption Vulnerability"."
> >> 
> >> so it's not a threat to your platform unless you are also running
> >> Windows somehow.
> >> 
> >> I've a bounty on windows here, nuke on encounter.
> >> 
> >> My power just came back so I scanned my Firefox 55.0.3 for Mac
> >> and it tested clean. Taking a look at the omni.ja file I see 109
> >> occurrences of the first s

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

[Tsutomu Oyamada]

Hi, Joel.

Thank you.
The issue of false positive for Html.Exploit.CVE_2017_8750-6336209-0 has been 
solved,
but the issue of Html.Exploit.CVE_2017_8757-6336185-0 has not been solved yet.

Could you Drop this signature as well ?


On Fri, 20 Oct 2017 14:47:24 +
"Joel Esler (jesler)" <jes...@cisco.com> wrote:

> All ?
> 
> This signature has been dropped.
> 
> --
> Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>
> 
> 
> 
> 
> 
> 
> On Oct 20, 2017, at 8:30 AM, Gene Heskett 
> <ghesk...@shentel.net<mailto:ghesk...@shentel.net>> wrote:
> 
> On Friday 20 October 2017 02:06:38 Al Varnell wrote:
> 
> I assume we are all still talking about
> Html.Exploit.CVE_2017_8750-6336209-0?
> 
> Gene, I believe your report was an omni.ja files infected with
> Html.Exploit.CVE_2017_8757-6336185-0.
> 
> Since it was the same file, I suppose I missed that the CVE had changed.
> Anyway, its the above number I've been looking at every morning for a
> couple weeks. I figured my previous msg was sufficient. My bad.
> 
> They have both been dealt with locally by ClamXAV, but I've not seen
> either listed as dropped by ClamAV yet.
> 
> Different versions of Firefox on different platforms.
> 
> -Al-
> 
> On Thu, Oct 19, 2017 at 10:24 PM, Gene Heskett wrote:
> On Friday 20 October 2017 00:24:20 Tsutomu Oyamada wrote:
> Hi,
> 
> The false positive for omni.ja is still ocurring.
> I have been reported this many times, but it has not fixed yet.
> 
> I have been troubled with this issue.
> What am I supposed to do?
> 
> I too have reported this, but nothing is being done.
> 
> On Sat, 23 Sep 2017 09:53:30 -0400
> 
> Gene Heskett <ghesk...@shentel.net<mailto:ghesk...@shentel.net> 
> <mailto:ghesk...@shentel.net>>
> wrote:
> On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
> note correction in subject file location
> 
> So here are the facts with regard to
> Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
> previously reported in this thread). It was just added to the
> database about fifteen hours ago in daily - 23863 and is looking
> for two strings which you can observer by using the following
> (I'm not posting it here so this e-mail won't be detected as
> infected):
> 
> sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool
> --decode-sigs
> 
> CVE-2017-8750 is described as
> <https://nvd.nist.gov/vuln/detail/CVE-2017-8750
> <https://nvd.nist.gov/vuln/detail/CVE-2017-8750>>: "Internet
> Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1,
> Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and
> Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511,
> 1607, 1703, and Windows Server 2016 allow an attacker to execute
> arbitrary code in the context of the current user due to the way
> that Microsoft browsers access objects in memory, aka "Microsoft
> Browser Memory Corruption Vulnerability"."
> 
> so it's not a threat to your platform unless you are also running
> Windows somehow.
> 
> I've a bounty on windows here, nuke on encounter.
> 
> My power just came back so I scanned my Firefox 55.0.3 for Mac
> and it tested clean. Taking a look at the omni.ja file I see 109
> occurrences of the first string, but not the second.
> 
> So at this point I'll just repeat my advise from before to submit
> that file to <http://www.clamav.net/reports/fp
> <http://www.clamav.net/reports/fp>> then return here and report a
> hash value.
> 
> Means to determine hash? I'll assume sha256sum here
> 
> gene@coyote:~/firefox/browser$ sha256sum omni.ja
> 2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348
> omni.ja
> 
> Thanks Al
> 
> On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
> On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
> Power out here so cannot check. Was negative when I looked at
> macOS version last week.
> 
> What OS?
> 
> 32 bit wheezy,on an AMD phenom, all up to date. uname -a
> 
> 3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
> (2017-02-24) x86_64 GNU/Linux
> 
> Thank you Al.
> 
> Sent from my iPhone
> 
> -Al-
> 
> Cheers, Gene Heskett
> 
> -Al-
> 
> Cheers, Gene Heskett
> --
> "There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page <http://geneslinuxbox.net:6309/gene
> <http://geneslinuxbox.net:6309/gene>>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net<m

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

[Tsutomu Oyamada]

Hi,

The false positive for omni.ja is still ocurring.
I have been reported this many times, but it has not fixed yet.

I have been troubled with this issue.
What am I supposed to do?



On Sat, 23 Sep 2017 09:53:30 -0400
Gene Heskett  wrote:

> On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
> note correction in subject file location
> 
> > So here are the facts with regard to
> > Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
> > previously reported in this thread). It was just added to the database
> > about fifteen hours ago in daily - 23863 and is looking for two
> > strings which you can observer by using the following (I'm not posting
> > it here so this e-mail won't be detected as infected):
> >
> > sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool --decode-sigs
> >
> > CVE-2017-8750 is described as
> > : "Internet Explorer
> > in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1
> > and Windows RT 8.1, Windows Server 2012 R2, and Microsoft Edge and
> > Internet Explorer in Windows 10 Gold, 1511, 1607, 1703, and Windows
> > Server 2016 allow an attacker to execute arbitrary code in the context
> > of the current user due to the way that Microsoft browsers access
> > objects in memory, aka "Microsoft Browser Memory Corruption
> > Vulnerability"."
> >
> > so it's not a threat to your platform unless you are also running
> > Windows somehow.
> 
> I've a bounty on windows here, nuke on encounter.
> 
> > My power just came back so I scanned my Firefox 55.0.3 for Mac and it
> > tested clean. Taking a look at the omni.ja file I see 109 occurrences
> > of the first string, but not the second.
> >
> > So at this point I'll just repeat my advise from before to submit that
> > file to  then return here and report
> > a hash value.
> 
> Means to determine hash? I'll assume sha256sum here
> 
> gene@coyote:~/firefox/browser$ sha256sum omni.ja
> 2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348  omni.ja
> 
> Thanks Al
> >
> > On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
> > > On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
> > >> Power out here so cannot check. Was negative when I looked at macOS
> > >> version last week.
> > >>
> > >> What OS?
> > >
> > > 32 bit wheezy,on an AMD phenom, all up to date. uname -a
> > >
> > > 3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
> > > (2017-02-24) x86_64 GNU/Linux
> > >
> > > Thank you Al.
> > >
> > >> Sent from my iPhone
> > >>
> > >> -Al-
> > >
> > > Cheers, Gene Heskett
> >
> > -Al-
> 
> 
> Cheers, Gene Heskett
> -- 
> "There are four boxes to be used in defense of liberty:
>  soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Question about Scanning speed of clamd 0.99.2 with PCRE

[Tsutomu Oyamada]

Hi, all.

We are using clamd 0.99.2 with PCRE.
The required time for scan varies significantly by the CVD version.
Does the the required time for scan depend on the number of signatures for PCRE 
which are inside the CVD?
When we use clamd without PCRE, the required time for scan are not so different.
Is there any way to check the number of signatures which are used by PCRE?

Thanks,
T.O.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] the problem of endless loop

[Tsutomu Oyamada]

Hi, all.

I have a question about the error which is caused by the shotage of the size 
acquired by mpool_malloc function on clamd version 0.97.8.

the message:
mpool_malloc(): Attempt to allocate 8388608 bytes. Please report to 
http://bugs.clamav.net

This error does not exist in version 0.98 and later, but we think that the 
problem of endless loop is not fixed even on the latest version.
When the .hdb data of CVD file is read, the number of HASH table is not be 
enough, then the cli_htu32_insert function of libclamav/hashdb.c loops and 
cannot detect the error, and it leads to endless loop.
We found that the code is not fixed on version 0.99.2.

We think that the following code of cli_htu32_grow function should be negative 
value when it returns;

391: if(new_capacity == s->capacity || !htable)
392: return CL_EMEM;

Will this fix be released?
If yes, could you tell us on what version will this fix be released?

T.O

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

[Tsutomu Oyamada]

Our environment is a local mirror.
However, it does not matter.

I wanted to know if there is the case that the DNS TXT of ClamAV have
not been updated for few days.
Could it be possibe?
Is this issue caused by the problem on our enviroment of querying DNS?
The daily.cvd is updated in real time now.
Could this issue be happened when the freshclam try to query DNS?

On Fri, 25 Nov 2016 02:20:16 -0800
Al Varnell <alvarn...@mac.com> wrote:

> Was this freshclam log the result of checking your local mirror or a ClamAV 
> mirror?  My guess would be that your local mirror was not up-to-date at the 
> time you ran freshclam from a client computer on your local network.
> 
> -Al-
> 
> On Fri, Nov 25, 2016 at 01:57 AM, Tsutomu Oyamada wrote:
> > 
> > Sorry, 
> > 
> > The part of freshclam log is as follows;
> > 
> > ClamAV update process started at Sat Nov  5 05:01:15 2016
> > Using IPv6 aware code
> > Querying current.cvd.clamav.net
> > TTL: 1797
> > Software version from DNS: 0.99.2
> > main.cvd version from DNS: 57
> > main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: 
> > amishhamner)
> > daily.cvd version from DNS: 22473
> > 
> > This log shows that freshclam was started at 5:01 of 5th Nov. and the 
> > result of querying DNS was "daily.cvd version: 22473".
> > According to the mail [clamav-virusdb] which is sent daily, the daily.cvd 
> > version should be 22479 at 5:01 of 5th Nov.
> > 
> > We want to know why freshclam cannot get the latest daily.cvd version.
> > Is this difference of daily.cvd version caused by cache of DNS?
> > 
> > 
> > On Thu, 24 Nov 2016 10:05:13 +
> > Simon Hobson <li...@thehobsons.co.uk> wrote:
> > 
> >> I realise English is not your main language and this is probably very 
> >> difficult for you to explain in what is to you a foreign language, but I 
> >> don't think we are able to figure out just what is not working ...
> >> 
> >> Tsutomu Oyamada <oyam...@promark-inc.com> wrote:
> >> 
> >>> In the present situation fail.
> >> 
> >> What is failing ?
> >> 
> >> Does your local mirror update ?
> >> If not, post logs from freshclam showing the failures to update.
> >> Also post your freshclam config.
> >> 
> >> If your local mirror does update, then we assume your local clients are 
> >> failing to update from your mirror.
> >> If that is the case, post the freshclam logs from a failing client, and 
> >> it's config.
> >> 
> >> ___
> >> clamav-users mailing list
> >> clamav-users@lists.clamav.net
> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >> 
> >> 
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >> 
> >> http://www.clamav.net/contact.html#ml
> >> 
> > 
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > 
> > 
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > 
> > http://www.clamav.net/contact.html#ml
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
> 
> 
> 
> 


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

[Tsutomu Oyamada]

Sorry, 

The part of freshclam log is as follows;

ClamAV update process started at Sat Nov  5 05:01:15 2016
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 1797
Software version from DNS: 0.99.2
main.cvd version from DNS: 57
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: 
amishhamner)
daily.cvd version from DNS: 22473

This log shows that freshclam was started at 5:01 of 5th Nov. and the result of 
querying DNS was "daily.cvd version: 22473".
According to the mail [clamav-virusdb] which is sent daily, the daily.cvd 
version should be 22479 at 5:01 of 5th Nov.

We want to know why freshclam cannot get the latest daily.cvd version.
Is this difference of daily.cvd version caused by cache of DNS?


On Thu, 24 Nov 2016 10:05:13 +
Simon Hobson <li...@thehobsons.co.uk> wrote:

> I realise English is not your main language and this is probably very 
> difficult for you to explain in what is to you a foreign language, but I 
> don't think we are able to figure out just what is not working ...
> 
> Tsutomu Oyamada <oyam...@promark-inc.com> wrote:
> 
> > In the present situation fail.
> 
> What is failing ?
> 
> Does your local mirror update ?
> If not, post logs from freshclam showing the failures to update.
> Also post your freshclam config.
> 
> If your local mirror does update, then we assume your local clients are 
> failing to update from your mirror.
> If that is the case, post the freshclam logs from a failing client, and it's 
> config.
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

[Tsutomu Oyamada]

In the present situation fail.
However, it did not fail one month ago.
I do not have log had been successful.

Want to know why should I fail to have succeeded in that.

On Thu, 24 Nov 2016 01:19:20 -0800
Al Varnell  wrote:

> What is no longer working fine now?
> 
> Do you have some example freshclam.logs that show issues?
> 
> What ClamAV.net mirrors are you using?


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

[Tsutomu Oyamada]

Hi, Al.

Thank you for your reply.

I tested in the following environments.

ClamAV .net
| (Mirroring once every day)
My local update server
|(after 24 hours at mirroring)
freshclam

Worked fine until a month ago in this environment.

T.O.

On Wed, 23 Nov 2016 19:30:56 -0800
Al Varnell <alvarn...@mac.com> wrote:

> I'm having difficulty following some of your questions and have no answers 
> yet, but what exactly is your mirror environment (IPs)?
> 
> Sent from Janet's iPad
> 
> -Al-
> 
> On Nov 23, 2016, at 7:10 PM, Tsutomu Oyamada wrote:
> > Hi, All.
> > 
> > We know CVD version information is published in DNS TXT record, this
> > record's TTL values, 1800 seconds is currently is. This value is the
> > same from the previous?
> > 
> > Also in freshclam download old versions of CVD(one day ago) in local
> > mirror environment, we will succeed.
> > 
> > I thought I was bound to fail.
> > 
> > Why not?
> > 
> > T.O
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] TTL of DNS recode

[Tsutomu Oyamada]

Hi, All.

We know CVD version information is published in DNS TXT record, this
record's TTL values, 1800 seconds is currently is. This value is the
same from the previous?

Also in freshclam download old versions of CVD(one day ago) in local
mirror environment, we will succeed.

I thought I was bound to fail.

Why not?

T.O


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP

[Tsutomu Oyamada]

Hi, Al

Thank you, we found that the previous detection error= false positive has been 
solved.

In addition to the above, the following signature also causes another detection 
error=
false positive.

Swf.Exploit.CVE_2016_7865-1

The file was uploaded to FP site.

com.ibm.tivoli.tpm.video.doc_7.2.1.jar
createjs_short_controller.swf
explore_ui_controller.swf
using_ic_controller.swf

All errors occurred by the same signature.

We want to ask you to solve this issue

T.O

On Fri, 11 Nov 2016 02:23:41 -0800
Al Varnell <alvarn...@mac.com> wrote:

> I see that the definition was dropped in daily - 22512.
> 
> -Al-
> 
> On Tue, Nov 08, 2016 at 10:52 PM, Tsutomu Oyamada wrote:
> > 
> > Hi, all.
> > 
> > We are in a problem of detection error (false positive) against a file.
> > We are receiving complaint for this issue from one of our customers every 
> > day.
> > 
> > We put the sample file on http://www.clamav.net/reports/fp 2weeks and more 
> > days ago
> > at some times.
> > However, we have not gotten any new cvd which solve the problem of false 
> > positive.
> > 
> > The file sent from us is as follows;
> > SHA256: 7b0eeafc01df6df00726d29af0e8c0b42485963ddbcd8781a16349a84071
> > faile name:  filegroup4.jar
> > FP: Swf.Exploit.CVE_2015_7645-1
> > 
> > We want to support/solve this problem with cvd, though we know we can treat 
> > to solve this
> > with using .fp.
> > 
> > T.O


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] FP

[Tsutomu Oyamada]

Hi, all.

We are in a problem of detection error (false positive) against a file.
We are receiving complaint for this issue from one of our customers every day.

We put the sample file on http://www.clamav.net/reports/fp 2weeks and more days 
ago
at some times.
However, we have not gotten any new cvd which solve the problem of false 
positive.

The file sent from us is as follows;
SHA256: 7b0eeafc01df6df00726d29af0e8c0b42485963ddbcd8781a16349a84071
faile name:  filegroup4.jar
FP: Swf.Exploit.CVE_2015_7645-1

We want to support/solve this problem with cvd, though we know we can treat to 
solve this
with using .fp.

T.O

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam error

[Tsutomu Oyamada]

Sorry,

We were confused.
Version 0.97.8 and is older.
We upgraded the 0.98.1 version of ClamAV.
Once you do so without any problems now.

T.O

On Fri, 30 Sep 2016 12:11:49 +0200
Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:

> On 30.09.16 00:01, Tsutomu Oyamada wrote:
> >Following error is showed when the CVD is updated on freshclam;
> >
> >Sep 27 04:00:05 W1K freshclam[26882]: [LibClamAV] mpool_malloc():Attempt to 
> >allocate 8388608 bytes. Please report to http://bugs.clamav.net
> >
> >This error has been showed from 26th September.
> >The version of ClamAV is 0.98.1.
> >
> >Could you tell us the cause of this error and how to solve it?
> 
> you are apparently running out of memory.
> How much memory do you have installed and what 3rd party databases do you use?
> 
> is there other memory-hungry software installed on that machine?
> -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> "Where do you want to go to die?" [Microsoft]
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam error

[Tsutomu Oyamada]

Thank you for your reply.

We tried it on another machine.
But the result is successful.
It is running the same freshclam module.
Cause is insufficient memory allocation?

Current working dir is /usr/lib/clamav
Max retries == 3
ClamAV update process started at Fri Sep 30 00:19:08 2016
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 186
Software version from DNS: 0.99.2
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.98.1 Recommended version: 0.99.2
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd version from DNS: 57
Retrieving http://m82pxl1g/main.cvd
Trying to download http://m82pxl1g/main.cvd (IP: 192.168.16.80)
Downloading main.cvd [100%]
Loading signatures from main.cvd
Properly loaded 4218790 signatures from new main.cvd
main.cvd updated (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd version from DNS: 22273
Retrieving http://m82pxl1g/daily.cvd
Trying to download http://m82pxl1g/daily.cvd (IP: 192.168.16.80)
Downloading daily.cvd [100%]
Loading signatures from daily.cvd
Properly loaded 642055 signatures from new daily.cvd
daily.cvd updated (version: 22273, sigs: 642076, f-level: 63, builder: neo)
bytecode.cvd version from DNS: 283
Retrieving http://m82pxl1g/bytecode.cvd
Trying to download http://m82pxl1g/bytecode.cvd (IP: 192.168.16.80)
Downloading bytecode.cvd [100%]
Loading signatures from bytecode.cvd
Properly loaded 53 signatures from new bytecode.cvd
bytecode.cvd updated (version: 283, sigs: 53, f-level: 63, builder: neo)
Database updated (4860919 signatures) from m82pxl1g (IP: 192.168.16.80)

Best regards,

Tsutomu Oyamada
Promark inc.
Japan

On Thu, 29 Sep 2016 17:15:01 +0200
Reindl Harald <h.rei...@thelounge.net> wrote:

> 
> 
> Am 29.09.2016 um 17:05 schrieb robin.wakefi...@ubs.com:
> > We've just noticed this has started to appear in the logs too.  Any clues 
> > please?
> 
> also with the outdated clamav?
> clamav-update-0.99.2-1.fc24.x86_64 has no problems
> 
> both of you don't find it worth to tell distro and version while in case of a 
> outdated distro-binary becuase a wrong understaing of LTS has it's place in 
> the distributions bugtracker
> 
> they most likely updated some other library which triggers the problem
> 
> Sep 29 16:25:18 buildserver freshclam[29365]: ClamAV update process started 
> at Thu Sep 29 16:25:18 2016
> Sep 29 16:25:18 buildserver freshclam[29365]: main.cvd is up to date 
> (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
> Sep 29 16:25:48 buildserver freshclam[29365]: nonblock_connect: connect 
> timing out (30 secs)
> Sep 29 16:25:48 buildserver freshclam[29365]: Can't connect to port 80 of 
> host db.at.clamav.net (IP: 81.223.20.171)
> Sep 29 16:25:48 buildserver freshclam[29365]: Trying host db.at.clamav.net 
> (193.1.193.64)...
> Sep 29 16:25:49 buildserver freshclam[29365]: Downloading daily-22273.cdiff 
> [100%]
> Sep 29 16:25:50 buildserver freshclam[29365]: daily.cld updated (version: 
> 22273, sigs: 642076, f-level: 63, builder: neo)
> Sep 29 16:25:51 buildserver freshclam[29365]: safebrowsing.cvd is up to date 
> (version: 45066, sigs: 3009769, f-level: 63, builder: google)
> Sep 29 16:25:51 buildserver freshclam[29365]: bytecode.cvd is up to date 
> (version: 283, sigs: 53, f-level: 63, builder: neo)
> Sep 29 16:25:56 buildserver freshclam[29365]: Database updated (7870688 
> signatures) from db.at.clamav.net (IP: 193.1.193.64)
> 
> > -Original Message-
> > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf 
> > Of Rafael Ferreira
> > Sent: 29 September 2016 16:03
> > To: ClamAV users ML
> > Subject: Re: [clamav-users] freshclam error
> >
> > That appears to be a memory issue with your host, the malloc (memory 
> > allocator) is failing.
> >
> >> On Sep 29, 2016, at 8:01 AM, Tsutomu Oyamada <oyam...@promark-inc.com> 
> >> wrote:
> >>
> >> Hi,
> >>
> >> Following error is showed when the CVD is updated on freshclam;
> >>
> >> Sep 27 04:00:05 W1K freshclam[26882]: [LibClamAV] mpool_malloc():Attempt 
> >> to allocate 8388608 bytes. Please report to http://bugs.clamav.net
> >>
> >> This error has been showed from 26th September.
> >> The version of ClamAV is 0.98.1.
> >>
> >> Could you tell us the cause of this error and how to solve it?
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] freshclam error

[Tsutomu Oyamada]

Hi,

Following error is showed when the CVD is updated on freshclam;

Sep 27 04:00:05 W1K freshclam[26882]: [LibClamAV] mpool_malloc():Attempt to 
allocate 8388608 bytes. Please report to http://bugs.clamav.net

This error has been showed from 26th September.
The version of ClamAV is 0.98.1.

Could you tell us the cause of this error and how to solve it?

Best regards,

Tsutomu Oyamada
Promark Inc.
Japan


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

[Tsutomu Oyamada]

There are still positives "Zip.Suspect.MacroDoubleExtension-zippwd".
(see attached file)
To resolve this false positive when it does?


On Wed, 17 Feb 2016 20:16:02 -0800
Dennis Peterson  wrote:

> My experience with these kind of failures is that the pattern is not properly 
> anchored or the writer doesn't understand greedy grep patterns or both. 
> Fallout from the new pcregrep, perhaps? I've not analyzed it so am 
> speculating here, but lessons learned after decades of doing this is of regex 
> results amaze you then you have probably screwed up somewhere when writing 
> the pattern. Or as one of my staff liked to say, something we're sure of is 
> wrong.
> 
> dp
> 
> On 2/16/16 7:02 PM, Al Varnell wrote:
> > Resubmited.
> >
> > 87084602bb62d9213e10a1741150093a37481cd005b62008e7187f2086b8922a:319649:pg3726-images.epub
> >
> > -Al-
> >
> > On Feb 14, 2016, at 4:34 PM, Al Varnell  wrote:
> >
> >> I attempted to submit the sample I have to 
> >> http://www.clamav.net/reports/fp and it was similarly rejected as "empty." 
> >>  Scanned the file on my computer after updating definitions still shows it 
> >> as infected.  Uploading it to VirusTotal results in only a ClamAV 
> >> detection:
> >> .
> >>
> >>
> >> ___
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] about countermeasure for false positive

[Tsutomu Oyamada]

Hello,

We believe you do some test against a new pattern file for ClamAV, by which you 
can
find if the new pattern file shall work properly and efectively in the existing 
systems without any problem,
before you release any new pattern file into market.

Could you give us what type and/or which level of tests you make ?


Tsutomu Oyamada


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] False positive

[Tsutomu Oyamada]

Hi,

A false positive which detects normal file as a malware 
"win.Trojan.Bancos-2115" was occurred last week.
It was started CVD version 21359 and was fixed by 21362.
Could you tell us what was the cause of this false positive?
And also, could you tell us what steps do you take to prevent false positives?

I have another question, has the false positive of 
"Zip.Suspect.MacroDoubleExtension-zippwd" fixed?

T.Oyamada

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] about MaxQueue

[Tsutomu Oyamada]

Hi, Steve,

Thanks your advice.
We’ll try clamdtop command.

BTW how it affects MaxQueue in clamd?

Best regards,
Tsutomu Oyamada

On Tue, 18 Feb 2014 16:13:15 -0500
Steven Morgan smor...@sourcefire.com wrote:

 Tsutomu,
 
 Take a look at the clamdtop command. There are also some unix commands that
 may help: ps -eLF, lsof, gdb/info threads. If these do not get you the info
 you are looking for, you can modify the code to put in the confirmations.
 The code handling threads and queues is clamd/others.c, clamd/thrmgr.c, and
 clamd/server-th.c.
 
 Hope this helps,
 Steve
 
 
 On Tue, Feb 18, 2014 at 5:41 AM, Tsutomu Oyamada 
 oyam...@promark-inc.comwrote:
 
  Hi,
 
  We like to know when a MaxQueue value of configuration file gives any
  influence while clamd is scanning.
  We are investigating matters of sessions with the following setteings.
  Can we confirm MaxThreads by ptree command?
  Could you teach us how to confirm behavior of configured value of MaxQueue?
MaxThreads 40
MaxQueue 80
  Please find the current clamd.conf as attached file.
 
  We confirm clamd by calling via socket and with using file scanner program.
  Version of clamd is  0.98.1, and platform is System z (s390x).
 
  Thanks,
  T.Oyamada
 
  ___
  Help us build a comprehensive ClamAV guide:
  https://github.com/vrtadmin/clamav-faq
  http://www.clamav.net/support/ml
 
 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq
 http://www.clamav.net/support/ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] about MaxQueue

[Tsutomu Oyamada]

Hi,

We like to know when a MaxQueue value of configuration file gives any influence 
while clamd is scanning.
We are investigating matters of sessions with the following setteings.
Can we confirm MaxThreads by ptree command?
Could you teach us how to confirm behavior of configured value of MaxQueue?
  MaxThreads 40
  MaxQueue 80
Please find the current clamd.conf as attached file.

We confirm clamd by calling via socket and with using file scanner program.
Version of clamd is  0.98.1, and platform is System z (s390x).

Thanks,
T.Oyamada
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] question about clamd configurations

[Tsutomu Oyamada]

Hi, all.

I have a question about the setting of clamd.

In the clamd.conf file, there are parameters;

- MaxHTMLNormalize
- MaxHTMLNoTags
- MaxScriptNormalize

I want to know how do these parameters work.
In what case do these parameters affect?

What is the meaning of Normalize?

I also hava a question about MaxZipTypeRcg.
MaxZipTypeRcg is for reanalysis the type of ZIP files, in what case does 
reanalysis is performed?

best regards,
Tsutomu Oyamada

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml