Re: [clamav-users] clamav DOA
Dne 18. 11. 21 v 13:09 Cody Allen napsal(a): frustrated, have spent days with a broken clamav nothing seems to work to download the db. can someone please shed some light on what is wrong and how to address the problem. running on a debian jessie appliance. at this point im dead in the water, without the databse the service tanks and will not start, freshclam will not download and have found no method to manually get or update the db. Using IPv6 aware code Max retries == 3 Querying current.cvd.clamav.net <http://current.cvd.clamav.net> TTL: 962 Software version from DNS: 0.103.4 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.101.2 Recommended version: 0.103.4 DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav <https://www.clamav.net/documents/upgrading-clamav> Retrieving http://database.clamav.net/main.cvd <http://database.clamav.net/main.cvd> Ignoring mirror 104.16.218.84 (due to previous errors) Ignoring mirror 104.16.219.84 (due to previous errors) Ignoring mirror 104.16.218.84 (due to previous errors) Ignoring mirror 104.16.219.84 (due to previous errors) WARNING: Can't download main.cvd from database.clamav.net <http://database.clamav.net> Trying again in 5 secs... I have seen something similar on an older instance of clamav, where the database was seriously out-of date. The problem was that the download of new databases took too long. It worked, but was slow, and freshclam timed out before finishing the download and started over again. I think I had to increase "ReceiveTimeout 30" in freshclam.conf. -- Best Regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Re: ClamAV® blog: Are you still attempting to download safebrowsing.cvd?
Dne čtvrtek 8. dubna 2021 16:17:24 CEST, Ralf Hildebrandt via clamav-users
napsal(a):
> * Vladislav Kurz via clamav-users :
> > How about just making the file empty?
>
> I think this causes an error in clamav/clamd
Then just make is as small as possible - e.g. leave only one signature in the
file, or something like that.
--
Best regards
Vladislav Kurz
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: Are you still attempting to download safebrowsing.cvd?
Dne středa 7. dubna 2021 19:41:34 CEST, Joel Esler (jesler) via clamav-users napsal(a): > > https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html > > <https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.htm > > l> > > > > Are you still attempting to download safebrowsing.cvd? > > > > and continue to download the safebrowsing.cvd account for nearly 10TB of > > traffic a month, just for that file. > > > > As a result, we have put in a block to make any attempts to download the > > safebrowsing.cvd result in a 403 error. How about just making the file empty? Also I wonder if freshclam does not check if the file has been modified, and skip the download if not? -- Best regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: Are you still attempting to download safebrowsing.cvd?
Dne středa 7. dubna 2021 19:41:34 CEST, Joel Esler (jesler) via clamav-users napsal(a): > > https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html > > <https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.htm > > l> > > > > Are you still attempting to download safebrowsing.cvd? > > > > It has come to our attention that a few of you (about 515,000 of you, to > > be more accurate), are still attempting to download the safebrowsing.cvd > > file from the official ClamAV mirrors. This tells us that these > > attempted downloads are an installation of FreshClam (a non-updated > > FreshClam.conf or other script) that have not been updated to remove the > > safebrowsing database.> Hello, These could be Debian users. The debian package offers to enable safebrowsing.cvd, and there is no indication that it is discontinued. Perhaps, if you talk to Debian Clamav maintainers, they could release an update that disables this option without asking ? Anyway I was one of those, and now disabling it everywhere... -- Best Regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Virus Sigs not updating
Dne sobota 20. února 2021 14:34:24 CET, Charles Harbud via clamav-users napsal(a): > Hi, for the last 3 weeks Clamwin has not been able to update it's virus > signatures on my computer (Windows 2000, X32). The log says some (or all) > the mirrors are down. > May I ask, has anything changed with them. (Nothing has changed here). It's > eating up all my bandwidth as Clamwin retries throughout the day. Thanks I have noticed something similar - updating clamav database where the database was too old (not updated for long time). Freshclam has a download timeout (default 30 s), and if the update is not finished in that time, it tries again. IMHO quite stupid... The update was working perfectly, it just needed to download too much updates, that it needed about 60 s to finish. -- Best regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Squid + ClamAV
Dne středa 1. dubna 2020 15:47:09 CEST, Andrea Venturoli via clamav-users napsal(a): > Hello. > > I'm trying the combination Squid + C-ICAP + SquidClamAV + ClamAV, and > I'm seeing terrible performance. > It seems there's no SquidClamAV specific mailing list and asking on > generic Squid list did not help much. > Perhaps someone here is using the same thing or knows how to better > tweak the engine. Hello, few years ago I used squid + c-icap + clamav (without squidclamav), and it worked fine. I'm not sure why I stopped using it, maybe it broke on server upgrade or something. (And I had good antivirus on clients anyway). > The whole thing is working, but page loading times varies a lot: > sometimes they'll load as fast as without virus scanning, but often (the > same pages) will take several seconds to display (with ClamAV eating a > lot of CPU). > I tried to see what is being scanned, but since SquidClamaAV uses inline > connections, clamdtop seems to be helpless. Are you running clamav as daemon? Is c-icap using the daemon socket (as if runing clamdscan)? If not it might be spawning clamscan for every downloaded page, and the startup of clamav takes very long time (parsing all the rules). Also check if you have enough memory both clamav and squid can eat a lot, so check if you are not swapping. Best Regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Multiple Clam Daemons on a single system
On 05/03/2020 12:26, Matus UHLAR - fantomas wrote: > On 05.03.20 15:38, Ashish Poddar via clamav-users wrote: >> We have a situation where we run a clamav daemon to scan files on a >> system. > > how? > >> However, in the process, we only use about 10% CPU in the system. We >> would >> naturally like to increase this number. We were thus trying to come up >> with >> a way to scan multiple files in parallel on the same system. Is there >> a way >> we can spawn multiple clam daemons to do this? > > afaik single clamav daemon is able to scan multiple files in parallel. > >> I am aware of the multiscan mode in clamdscan but I want each scan to >> be a >> separate process so as to not increase the overall scan time of any one >> file. > > I don't understand. Why do you think that scanning in multiple threads > increases scan time? I don't see hosw muti-thread or multi-process would be different. But I do not recommend scanning in parallel, the disk I/O is IMHO the bottleneck, why you use only 10% of CPU, and running multiple scans in parallel will make things even worse. -- Best Regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-unofficial-sigs download script updated
On 31/01/2020 15:06, Michael Orlitzky via clamav-users wrote: > On 1/31/20 2:47 AM, Steve Basford wrote: >> Hi All, >> >> eXtremeSHOK.com's clamav-unofficial-sigs download script has been >> updated: >> >> https://github.com/extremeshok/clamav-unofficial-sigs >> >> Change Log >> >> Version 7.0.1 (Updated 25 January 2020) >> > > Beware, as of a few versions ago this script is filled with a million > unsafe uses of chown and chmod, running as root. The script should never > be using chown/chmod in the first place, so all of these are wrong, > > $ grep 'chown\|chmod' clamav-unofficial-sigs.sh | wc -l > 40 > > and many of them are exploitable if the clamav user swaps out one of the > targets for a symlink pointing to e.g. /etc/passwd. And since the script > runs on a predictable schedule, you have all the time in the world to do > that. True. This script should never be run as root, but as clamav user. Thus chown would not be needed at all. Just as freshclam is run as clamav user too. -- S pozdravem Vladislav Kurz Centrála: Celní 17/5, 63900 Brno, CZ Web: http://www.webstep.net E-Mail: podp...@webstep.net Tel: 840 840 700, +420 548 214 711 Obchodní podmínky: https://zkrat.to/op ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Continuous increase of startup time (is daily.cld broken?)
On 17/10/2019 17:44, G.W. Haywood via clamav-users wrote: > Hello again, > > On Thu, 17 Oct 2019, Vladislav Kurz via clamav-users wrote: > >> Is there anything blocking this patch from being accepted ? > > As far as I know, only the (significant) pressures and (AFAICT equally > significant) limitations on developer time at Cisco/Talos/SourceFire. > >> I'm noticing clamav-reload related timeouts on more and more (mostly >> older or low-end) servers, which were running just fine a year or two >> ago. > > There other ways of dealing with this, as I'm sure you're aware, but > using the patched daemon you only have to worry about the increased > memory consumption during databse reloads. Hello Well, the only option other than using your patch I know of is to increase the AV scan timeout in SMTP server. But I'm afraid that the sender might give up waiting for the final acknowlegement of DATA. And I do not want to accept the message before it is scanned (to avoid backscatter or silent discard of messages). > It seems to me that the amount of junk mail grows ever more quickly. > When not testing clamd, I routinely block for example all connections > from more than a hundred countries, a similar number of ASNs, and all > hosts which score a total of three or more in our weighted DNSBL list. > That's quite apart from the more targeted block lists. Obviously this > isn't an option for everyone, but here it makes the difference between > email being useful, and email being nothing but a nuisance. The speed of scan itself is not a problem, just the reload takes a few minutes on low-end/old servers. -- S pozdravem Vladislav Kurz Centrála: Celní 17/5, 63900 Brno, CZ Web: http://www.webstep.net E-Mail: podp...@webstep.net Tel: 840 840 700, +420 548 214 711 Obchodní podmínky: https://zkrat.to/op ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Continuous increase of startup time (is daily.cld broken?)
On 17/10/2019 16:51, G.W. Haywood via clamav-users wrote: > Hi there, > > On Thu, 17 Oct 2019, Vladislav Kurz via clamav-users wrote: > >> So the question is - what would be easier to code? >> - reloading in background thread >> - reloading limited to new files > > It is not clear to me that the latter suggestion is feasible, but... > > 1. Reload in a separate thread was first coded about six years ago. > > 2. After other, more recent discussions on this list some weeks ago, > I provided a patch for the current version of clamd, using that > original code as a basis. Yet more recently, one of the ClamAV > developers provided a similar patch. Both are freely available. > > 3. I've been running the patched code without issue for months. Oh great. Thank you Ged for writing and testing it. I apologise for not noticing that these patch is already done. Is there anything blocking this patch from being accepted ? I'm noticing clamav-reload related timeouts on more and more (mostly older or low-end) servers, which were running just fine a year or two ago. -- Best regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Continuous increase of startup time (is daily.cld broken?)
On 17/10/2019 15:40, Markus Kolb via clamav-users wrote: > Am 07.10.2019 08:57, schrieb Sergey: >> On Friday 13 September 2019, Markus Kolb via clamav-users wrote: >> >>> I've opened an enhacement bug for this: >>> https://bugzilla.clamav.net/show_bug.cgi?id=12389 >> >> Thanks. But I have one more question. Do I understand correctly >> that when loading main.cvd base rules are created quickly and >> the problem is in their subsequent update from daily.* files? >> >> Maybe it's time to update main.cvd and reduce daily.* while >> bug 12389 is being processed? > > It doesn't matter if the rules are in daily- or main-file. > The rules currently in daily are more complex and so slower. Hello everybody, just an idea, are all databases reloaded when the reload request comes? Would it be possible to reload only those that have changed since last reload? Then it would be beneficial to have large main.* and smaller daily.* files, and forking and loading in background would not be needed. So the question is - what would be easier to code? - reloading in background thread - reloading limited to new files -- Best Regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Continuous increase of startup time (is daily.cld broken?)
On 07/10/2019 08:57, Sergey wrote: > On Friday 13 September 2019, Markus Kolb via clamav-users wrote: > >> I've opened an enhacement bug for this: >> https://bugzilla.clamav.net/show_bug.cgi?id=12389 > > Thanks. But I have one more question. Do I understand correctly > that when loading main.cvd base rules are created quickly and > the problem is in their subsequent update from daily.* files? > > Maybe it's time to update main.cvd and reduce daily.* while > bug 12389 is being processed? > I support this idea. Daily.cvd is at the moment bigger than main.cvd and main.cvd has not beeen updated at least two years (maybe even more). -- Best Regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] About clamav's requirements for system resources
On 11/3/18 5:23 PM, Matus UHLAR - fantomas wrote: >> zhuangxiaohui wrote: >>> I have some servers(Centos6/7). Most of them have 1GB memory, 600M >>> available. >>> But also servers with low memory. For example 512M memory, 200M >>> available. >>> When I install the "clamav" on server which have 600M available >>> memory and >>> start the "clamd" service, >>> I find that clamd's resident memory is about 500M. But on servers >>> that have >>> only 200M of available memory, >>> the resident memory is about 100M. So I doubt if clamd will work >>> properly on >>> these servers, although both >>> scan and database's updates are normally. >>> >>> Would you please tell me the lowest clamav's requirements for system >>> resources especially the memory? >>> I've searched on your website but got nothing about this :( > > On 02.11.18 15:43, Kris Deugau wrote: >> I wouldn't run ClamAV with stock signatures on anything less than 1G, >> and I wouldn't run much else on that machine. If you're running a >> very light workload with a dedicated machine, you might get away with >> 512M. > > I run clamav with 3rd party signatures from Debian package > clamav-unofficial-sigs everywhere. In this case, clamav eats nearly 1G of > RAM. > > I can't tell you how much of it eats clamav without those signatures, but I > wouldn't run clamav on machines with less than 1GB either. > The unofficial signatures do not eat much extra memory. I think it is not more than 10% extra, virtually for free. I agree that 1 GB is minimum, and as you would most probably have a mail server as well, I recommend 2 GB. -- Best regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] After 0.100.1 Update, clamd crashes
On 07/31/18 11:10, Fraenzl, Martin wrote: > Hi all, > > > > I’m using clamav as scanner for my Exim MTA. > > Since I updated from 0.99.4 to 0.100.1, Exim is not able to connect to > clamd. If you are using unofficial rules, disable yara rules. https://github.com/extremeshok/clamav-unofficial-sigs/issues/203 -- best Regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav and sanesecurity.com databases
On 11/28/17 03:26, Noel Jones wrote: > On 11/27/2017 6:50 PM, Jobst Schmalenbach wrote: >> Hi >> >> I just read in another thread about sanesecurity.com. >> So I went to the website and read about the downloading scripts, the >> configuration etc. >> >> I cannot seem to find the link between the extra databases on the system >> downloaded into a direcotry >> "/var/log/clamav-unofficial-sigs/" and how to make clamd aware of these >> signatures. >> >> Now I have a question: How do I tell clamd that there is another data base >> directory? >> >> Jobst >> >> > > > All the virus databases go in the same directory. > Hello, if you use the script provided by sanesecurity, it will copy selected unofficial databases to /var/lib/clamav (or other configured place) where clamav stores its databases. -- Best regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamav + EXIM error malware acl condition: error while creating mbox spool file
On 11/07/17 19:37, Emanuel wrote: > I use exim with clamav. > > Everything is working fine and mails with attachment get scanned,and if > malware is found, these are rejected. BUT I have lots of > > malware acl condition: error while creating mbox spool file > > eximscan 100M 100M 0 100% /var/spool/exim/scan > > Why is not the partition cleaned? > > Thanks for any hints or help in advance. Hello, 100 MB is quite small. If a few mails arrive in parallel, it may have been filled easily. Also keem in mind that exim (in some circumstances) decodes mime parts into separate files, and thus needs 2x more space in scan spool. I also see occasional (but very rare) leftovers in /var/spool/exim/scan -- Best Regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd
Hello, did you really drop the signature? During the weekend scan (clamscan), we got 45 false positives. According to file names, they seem to be signed official PDF documents from goverment. On 04/28/17 17:16, Christopher Marczewski wrote: > Thanks for the reports. We'll be modifying the signature. > > In the interim, I've dropped the current signature. > > On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz > wrote: > >> I have the same problem, and already submitted a false positive report. >> In our case it was a signad pdf, so I suspect that the signature makes >> it FP. But I have no idea how to work around it now. Maybe disable pdf >> scanning? >> >> On 04/28/17 16:47, Giuseppe Ravasio wrote: >>> Hi, >>> since this morning daily signature update 23337 >>> and even with the latest one 23338 >>> my amavis flags some emails with PDF attachments as virus: >>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND >>> >>> Checking the PDF with other AVs and even with clamscan (on the same >>> server) results in a clean file: >>> >>> beppe@thot:/tmp$ clamscan TCA.pdf >>> TCA.pdf: OK >>> >>> --- SCAN SUMMARY --- >>> Known viruses: 6272759 >>> Engine version: 0.99.2 >>> Scanned directories: 0 >>> Scanned files: 1 >>> Infected files: 0 >>> Data scanned: 0.22 MB >>> Data read: 0.08 MB (ratio 2.71:1) >>> Time: 17.277 sec (0 m 17 s) >>> >>> if I check the file with clamdscan I get the virus found: >>> beppe@thot:/tmp$ clamdscan TCA.pdf >>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND >>> >>> --- SCAN SUMMARY --- >>> Infected files: 1 >>> Time: 0.032 sec (0 m 0 s) >>> >>> Any hints on how to solve the problem? >>> >>> Thanks >>> Giuseppe >>> ___ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> >> >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > > -- S pozdravem Vladislav Kurz Centrála: Celní 17/5, 63900 Brno, CZ Web: http://www.webstep.net E-Mail: podp...@webstep.net Tel: 840 840 700, +420 548 214 711 Obchodní podmínky: https://zkrat.to/op ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd
I have the same problem, and already submitted a false positive report. In our case it was a signad pdf, so I suspect that the signature makes it FP. But I have no idea how to work around it now. Maybe disable pdf scanning? On 04/28/17 16:47, Giuseppe Ravasio wrote: > Hi, > since this morning daily signature update 23337 > and even with the latest one 23338 > my amavis flags some emails with PDF attachments as virus: > Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND > > Checking the PDF with other AVs and even with clamscan (on the same > server) results in a clean file: > > beppe@thot:/tmp$ clamscan TCA.pdf > TCA.pdf: OK > > --- SCAN SUMMARY --- > Known viruses: 6272759 > Engine version: 0.99.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.22 MB > Data read: 0.08 MB (ratio 2.71:1) > Time: 17.277 sec (0 m 17 s) > > if I check the file with clamdscan I get the virus found: > beppe@thot:/tmp$ clamdscan TCA.pdf > /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND > > --- SCAN SUMMARY --- > Infected files: 1 > Time: 0.032 sec (0 m 0 s) > > Any hints on how to solve the problem? > > Thanks > Giuseppe > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Howto quarantine emails? "ERROR: VirusEvent: fork failed."
On 01/03/17 10:25, Mathieu D. wrote: > Hello, > > I would like to keep emails detected as virus by ClamAV on the filesystem, in > order to be able to retrieve false-positive when users asks for them. After a > few days, a simple cronjob would remove them. > > So I though that "VirusEvent" could be an appropriate way to do it. (Is there > any better way?) Hello, try using amavis together with your SMTP server. It has options to put mail into quarantine and to notify recipients, that something has been quarantined. -- S pozdravem Vladislav Kurz Centrála: Celní 17/5, 63900 Brno, CZ Web: http://www.webstep.net E-Mail: podp...@webstep.net Tel: 840 840 700, +420 548 214 711 Obchodní podmínky: https://zkrat.to/op ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] alternative signatures
On 12/13/16 10:14, Reindl Harald wrote: > > > Am 13.12.2016 um 10:03 schrieb Vladislav Kurz: >> Hello all, >> >> In the last few months my satisfaction with clamav's virus signatures is >> getting worse. Viruses getting through, while clamav catches just a few. >> Some of them are detected few days later, but that may be too late. >> Also occasional false positives matching too many innocent files giving >> bad points. >> >> So I am looking for alternative signatures, to improve the detection >> rate. I heard about sanesecurity.com. Are there any other 3rd party >> signatures? > > when you already heard about sanesecurity.com why don't you give it a > try and instead seek for different sources obviosuly not much people are > using? I was just curious. Now I found out that the recommended script for downloading sanesecurity signatures offers also wide range of other's signatures. That's really cool. -- Best Regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] alternative signatures
Hello all,
In the last few months my satisfaction with clamav's virus signatures is
getting worse. Viruses getting through, while clamav catches just a few.
Some of them are detected few days later, but that may be too late.
Also occasional false positives matching too many innocent files giving
bad points.
So I am looking for alternative signatures, to improve the detection
rate. I heard about sanesecurity.com. Are there any other 3rd party
signatures?
--
Best Regards
Vladislav Kurz
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Multiple logfiles for clamscan
On 10/12/16 12:25, Brad Scalio wrote: > Is there a way to log-to-syslog for clamscan runs? We pass the --log > argument to write to an organizational defined log location for parsing for > remote monitoring scripts but we also need to forward to arcsight > collectors the scans for central management. I know clamd and freshclam > log by default to local6.* and have options to also send to syslog but is > there a way to also do this for clamscan? Hi, you can pipe the output to logger command. That will log to syslog with configurable facility.priority. See man logger. -- S pozdravem Vladislav Kurz Centrála: Celní 17/5, 63900 Brno, CZ Web: http://www.webstep.net E-Mail: podp...@webstep.net Tel: 840 840 700, +420 548 214 711 Obchodní podmínky: https://zkrat.to/op ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to get each file status when scan a ditrtectory using clamdscan
On 10/03/16 19:05, crazy thinker wrote: > Hi, > > when i scanned a dirtectory using clamdscan, i could get only error and > virus file infected files status in output.but i would like to see each > file status(including "OK" status also ) when i perform scan over sinle > dirtectory / multiple dirtectories > > how does it can be achived? could anyone please help me in this... Hi, You could scan using clamscan -r It recurses directories and outputs status of every scanned file. Or is there a specific reason to use clam_D_scan instead? -- Best regards Vladislav Kurz ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] USB key scan on access
On 06/30/16 07:45, maiki wrote:
> Thank you for your answer. But in that case, I'll have to scan the
> entire key. As it could take some time, I prefer the on access approach.
> In addition this does not detect when a virus is copied to the key after
> the initial scan.
In that case I would recommend clamfs, it is not perfect, but simple.
The main problem is that it will still allow direct (unscanned) access
to the original filesystem, so you have to be careful.
--
Regards
Vladislav Kurz
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Structured.CreditCardNumber bounce
Dne Pá 1. dubna 2016 12:16:06, Bowie Bailey napsal(a): > > > > Thanx! Guess I used the term bounce incorrectly. After looking at my > > amavisd.conf file, I realized I have: > > $final_virus_destiny = D_REJECT; > > > > So it is properly configured, just not behaving the way we want it to yet. > > If that is the case, you have no control over the behavior. Your server > simply sends a message something like: > > 554 Virus found - Signature is Heuristics.Structured.CreditCardNumber > > to the sending server. It is up to them what they do with that. You > have no control over the content of the bounce message because your > server isn't the one sending it. > > However, you should verify that Amavis is being called during the > original receipt of the message. If it is being called later in the > process, after your server has accepted the message, then that D_REJECT > will turn into a bounce. (AFAIK... I haven't messed with Amavis configs > in a while) The most common setup of postfix+amavis, I have seen, is that amavis is called AFTER the message has been accepted by postfix. In that case even if you set amavis to D_REJECT you effectively do bounce. The difference is who controls the content of the bounce message. In D_BOUNCE it is amavis, in D_REJECT it is postfix. But both are under your control, and both are wrong. You do backscatter spam in both cases. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Structured.CreditCardNumber bounce
On Friday 01 of April 2016 Rob McKennon wrote: > Hello, > > One of the reasons we use clamav is to not accept emails with credit > card numbers. And it works great to bounce the message back to the > sender. However, according to PCI, sending the original message back > with the same credit card numbers they sent us, is just as bad as them > sending it to us in the first place. > > Is there a way to tell clamav to send the bounce message with the > "INFECTED: Heuristics.Structured.CreditCardNumber" data, but NOT include > the original email? Hi, this is not setting of clamav itself. It should be configurable in SMTP server or its antivirus interface like Amavis. Clamav just decides if the file is infected or not. It is the SMTP server that decides what is sent back. -- Best Regards Vladislav Kurz ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Why is ArchiveBlockMax obsoleted?
Hi all, in response to recent wave of viruses that were not detected by any antivirus, we decided to simply block any nested zip files. (Exe inside Zip inside Zip). So I tried to set MaxRecursion=1, just to find out that it passes such files as clean without scanning deeper. I want to block such files in the same manner as encrypted archives, but the ArchiveBlockMax option is obsolete. Why? Is there any undocumented replacement option for that? On some man pages I found --max-block, but that is ignored as well. Is there any reason to drop such function? -- Best Regards Vladislav Kurz ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
