Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
Le lundi 6 octobre 2014, 10:05:11 Alain Zidouemba a écrit : If you think it needs to be quicker, then maybe you could volunteer your time to help with the analysis (I'm not sure how you'd go about this) Or use this : https://securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml It rises Clamav detection rate up to 80% on 0-day malwares. Best regards Arnaud Jacques SecuriteInfo.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
Hi, Speaking of SecuriteInfo, is the High Risk label deserved for the spam_marketing signatures? Have used all the others in the Securite list but that one. Yes, spam_marketing.ndb has high level of false positive. Why ? Because it focuses french spam/marketing/private selling/special offers/and mailling lists I haven't subscribe. It also targets scam from Africa or Asia, and other kind of emails my customers don't want. But some of my customers *wants* to receive these kind of emails (gasp!). You can use .ign signatures to suit your needs, or don't use spam_marketing.ndb at all. It is up to you. Give it a try by offline scanning your mailboxes and see by yourself what is detected. If you believe some signatures are generating too many false positives, please contact me off list. Maybe spam_marketing.ndb needs tuning after all. Me and my (french) customers are pretty happy with spam_marketing.ndb. They have a very few spam passing through. Other signature files I provide have a very low false positive rate. Best regards, Arnaud Jacques SecuriteInfo.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [Clamav-users] LibclamAV - Very Slow
Hi, Le Mercredi 27 Septembre 2006 14:27, Alexander Hagenah a écrit : My application is called every time, a mail arrives. ...And every time you load the signature databases, I guess... Cordialement, Arnaud Jacques Consultant Sécurité Téléphone / Fax : +33-(0)3.44.39.76.46 Portable : +33-(0)6.24.40.95.03 E-mail : [EMAIL PROTECTED] Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Database-files
Le Mercredi 29 Mars 2006 14:57, Sander Holthaus a écrit : From the FAQ: My Question: Which extensions does ClamAV look for? It seems to recognize .ndb and .hdb, so does it recognize files with /\.[a-z]db$/ ? 1. *I can't wait for you to update the database! I need to use the new signature NOW!* No problem, save your own signatures in a text file with .db extension. Put it in the same dir where the .cvd files are located. ClamAV will load it after the official .cvd files. You need not to sign the .db file. What is the rule here? It recognize db, ndb, hdb, fp, and of course cvd. Second, I'm wondering, is there any way for ClamAV to drop a database (but not main and daily cvd's) if there is a problem with it? Currently, if the database directory contains a malformatted db-file, clamd dies on reload. While the db-dir should never contain a malformatted db, there are situation where it may happen. In those cases, I want ClamAV to drop the db, but reload with good db's. In this case, remove the malformatted db-file from the database directory and restart clamd. -- Cordialement, Arnaud Jacques Consultant Sécurité Téléphone / Fax : +33-(0)3.44.39.76.46 Portable : +33-(0)6.24.40.95.03 E-mail : [EMAIL PROTECTED] Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Hello Steve, Le Mardi 24 Janvier 2006 21:49, Steve Basford a écrit : As, I've seen a number of new phishing attempts get past the Official ClamAV signatures, I thought I'd try to produce my own signatures, to see if some of these newer phishing attempts could be stopped. They are here to download, if anyone is interested: http://www.sanesecurity.com/clamav/ Your signatures are based on HTML (Filetype = 3). Shouldn't it be based on Mail (Filetype = 4) ? This could avoid false positive like this one : - Go to http://www.sanesecurity.com/clamav/ - Save the html page on your hardisk - Scan the saved web page with your phish.ndb signatures = Html.Phishing.Auction.Sanesecurity.06010701 FOUND Anyway, thank you for creating signatures. This is usefull for a lot of us. Best regards, Arnaud Jacques Consultant Sécurité Téléphone / Fax : +33-(0)3.44.39.76.46 Portable : +33-(0)6.24.40.95.03 E-mail : [EMAIL PROTECTED] Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] (no subject)
I am running Fedora Core 4. I have been trying to upgrade my clamav from ver 86.2 to 87.1 for a while now. When I use yum with the crash-hat repo it installs fine but then I have problems with my email server. I look for the clamd.conf file and it is not there in /etc. I check to see if clamd is running, it is not. I try to restart clamd, it tells me bad command. I then uninstall clamav 87 and reinstall 86 and every thing is fine. If I download the rpm directly and open it with an archive manager I do not see clamd.conf any where. I would like to email the owner of the crash-hat repo and tell him but I do not see an email address any where. Help Ken ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] (no subject)
On Sun, 9 Oct 2005 05:42:26 -0700 (PDT) in [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am running Fedora Core 4. I have been trying to upgrade my clamav from ver 86.2 to 87.1 for a while now. When I use yum with the crash-hat repo it installs fine but then I have problems with my email server. I look for the clamd.conf file and it is not there in /etc. I check to see if clamd is running, it is not. I try to restart clamd, it tells me bad command. I then uninstall clamav 87 and reinstall 86 and every thing is fine. If I download the rpm directly and open it with an archive manager I do not see clamd.conf any where. If you look at the Crash Hat repository you'll see that there is also a clamav-server rpm for 0.87, you need to install this as well as the clamav rpm as it contains the clamd.conf file and the init.d scripts for clamd as well as the logrotate files. I don't know when Petr changed this, but that's what is there now. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lurker.clamav.net/list/clamav-users.html That was it!! I am a bit confused. In his repository's the only version of Fedora to use this server rpm is FC4. Oh well! Thanks Brian Ken ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Segmentation fault
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fajar A. Nugraha Sent: Sunday, October 10, 2004 8:32 PM To: ClamAV users ML Subject: Re: [Clamav-users] Segmentation fault [EMAIL PROTECTED] wrote: I am resending this since I did not get a beep from anyone and I think it should prove valuable to the developers. In general, I believe segfault reports should be sent to [EMAIL PROTECTED], with backtrace results from debugger to help them pinpoint what's wrong. The problem occurs with all 8.0 release candidates and CVS snapshots. Also only on RH 7.0 as far as I know. I do not have RH 7.0 to test so I cannot verify what you have, but I run it successfully on RH 9.0 Seems like a library problem to me. This might not be a perfect fix, but you could try compiling statically on another server (your RH9) and use the resulting binary on your RH7. Try http://clamav.or.id/snapshot/clamav-devel-latest.linux-static.tar.gz It runs well on RH6.2 You might to modify (or use your own) clamd.conf for clamd, but freshclam and clamscan is enough to see if it solves your problem. Thank you for the suggestion. This static built worked without a hitch. Lu ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Multilog patch / daemontools
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arthur Kerpician Sent: Sunday, October 03, 2004 1:26 PM To: [EMAIL PROTECTED] Subject: [Clamav-users] Multilog patch / daemontools Hi all, I was using clamav-0.75.1 with daemontools and a stderr-patch (developed for 0.70 but working on 0.75.1) to catch all the output to multilog. I recently upgraded to clamav-0.80rc3 and I found that when starting the clamd service 2 instances of clamd are running and the log shows me that daemontools tried to start clamd every second. When clamdctl stop only 1 of these instances are killed and clamd continues to run until killall clamd. You do not need to apply the patch. More below This is my clamdctl start section: [code] #!/bin/sh PATH=/opt/clamav/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin export PATH case $1 in start) echo Starting clamd if svok /service/clamd ; then svc -u /service/clamd else echo clamd supervise not running fi if [ -d /var/lock/subsys ]; then touch /var/lock/subsys/clamd fi ;; [/code] This is my supervise/run script: [code] #!/bin/sh exec 21 exec /usr/local/bin/setuidgid root /usr/local/bin/softlimit -a 4000 /opt/clamav/sbin/clamd -c /opt/clamav/etc/clamd.conf [/code] Take out the /usr/local/bin/setuidgid root portion. You don't need it. And finally, this is clamd.conf: [code] LogFile stderr LogSyslog LogFacility LOG_MAIL LocalSocket /tmp/clamd FixStaleSocket MaxThreads 20 User qscand ScanOLE2 ScanMail ScanHTML ScanArchive ScanRAR [/code] Change LogFile stderr to LogFile /dev/stdout As well, you should have this turned on: Foreground Clamdscan is called from qmail-scanner. 1. Anyone aware of a new patch for outputing to stderr? 2. What am i doing wrong since i cannot start only 1 instance of clamd and daemontools tries to fire-up every second a new proccess although clamav is already up? Try the above suggestions and see if it works for you. Thanks, Arthur ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] clamdscan in rc3.0 produced Segmentation fault
I am running RH 7.0 configure and make went without a hitch. clamd daemon seems to be running. invoking clamdscan produces a Segmentation fault imediately I don't have any idea what the backtrace reveals. No doubt, some of you do. (gdb) run Starting program: /usr/local/clamav/bin/clamdscan Program received signal SIGSEGV, Segmentation fault. 0x4000acd0 in ?? () (gdb) backtrace #0 0x4000acd0 in ?? () #1 0x40002902 in ?? () #2 0x4000f8f6 in ?? () #3 0x40002332 in ?? () #4 0x4000217f in ?? () version 0.75.1 works but it would be nice to use .80 I appreciate it if you can enlighten me. Thanks. Lu ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re: Thank you!
See the attached file for details