subject:"\[clamav\-users\] Heuristics.Broken.Executable FOUND for core files\/core dumps"

Re: [clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps

2017-11-07 Thread Kris Deugau


Ravi wrote:

Thanks Kris for your comments. Currently we scan the incoming
files(zips/archives) placed on the local hard drive with the
clamdscan(which uses clamd daemon), Can you share more info on what you
meant on handling the result differently if we are using the clamdscan?


Whatever calls clamdscan needs to look at the results in more detail, 
and instead of just blindly treating any positive result as a virus, 
check the virus "name" to see if there is some other action, or if the 
result is something that should be let past.


For instance, I've added checks to several mail systems that treat a 
resulting "virus name" of "Heuristics.Phishing.SpoofDomain" differently 
from other results, because that test (PhishingScanURLs) tends to FP on 
legitimate mail.  The test is still valuable but it's not reliable as an 
absolute black/white result.


In general, if you don't want certain things to cause false positives 
with a content filter, either:


- don't pass those things to the filter in the first place,

- handle the results from the filter differently for your problem case,

- disable the problematic test(s) in the filter

Exactly what changes you need to make for each of these will depend on 
how you're passing content to the filter, how you're accepting the scan 
results back, and how configurable the filter is.


-kgd

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps

2017-11-07 Thread Ravi

Thanks Kris for your comments. Currently we scan the incoming
files(zips/archives) placed on the local hard drive with the
clamdscan(which uses clamd daemon), Can you share more info on what you
meant on handling the result differently if we are using the clamdscan?

Thanks
Ravi

On Tue, Nov 7, 2017 at 5:00 AM, Kris Deugau  wrote:

> Ravi wrote:
>
>> Hi,
>>
>> Looking forward for comments and suggestions for the below reported issue
>> from the community.
>>
>
> Well, to answer your original question, it looks to me like the test is
> doing exactly what it's supposed to.  Core dumps would quite reasonably
> contain executable chunks, but may not contain the complete executable, or
> may come out with wrong code entry points, and so they are "broken" when
> assumed to be executable files.
>
> For your use case you should probably either turn this test off, or adjust
> your filter system glue layer to handle this result differently. Whether
> you can do the latter depends on how you call Clam.
>
> -kgd
>
>
>
> On Oct 27, 2017 4:09 PM, "Ravi"  wrote:
>>
>> Hi,
>>>
>>> We are seeing instances when customer uploads his zip files which
>>> contains
>>> core files/core dumps during scanning ClamAV is treating some of them as
>>> “Heuristics.Broken.Executable FOUND”. Currently we have turned-on this
>>> check in the clamd.conf as below.
>>>
>>> *# With this option clamav will try to detect broken executables (both PE
>>> and*
>>> *# ELF) and mark them as Broken.Executable.*
>>> *# Default: no*
>>> *DetectBrokenExecutables yes*
>>>
>>> The question is why ClamAV is treating core files/core dumps as
>>> “Heuristics.Broken.Executable FOUND”. Is it safe to turn-off this setting
>>> for ClamAV? or is there way to skip these checks for core files/core
>>> dumps
>>> in ClamAV?
>>>
>>> Thanks
>>> Ravi
>>>
>>>
>>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps

2017-11-06 Thread Ravi

Hi,

Looking forward for comments and suggestions for the below reported issue
from the community.

Thanks
Ravi

On Oct 27, 2017 4:09 PM, "Ravi"  wrote:

> Hi,
>
> We are seeing instances when customer uploads his zip files which contains
> core files/core dumps during scanning ClamAV is treating some of them as
> “Heuristics.Broken.Executable FOUND”. Currently we have turned-on this
> check in the clamd.conf as below.
>
> *# With this option clamav will try to detect broken executables (both PE
> and*
> *# ELF) and mark them as Broken.Executable.*
> *# Default: no*
> *DetectBrokenExecutables yes*
>
> The question is why ClamAV is treating core files/core dumps as
> “Heuristics.Broken.Executable FOUND”. Is it safe to turn-off this setting
> for ClamAV? or is there way to skip these checks for core files/core dumps
> in ClamAV?
>
> Thanks
> Ravi
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps

2017-10-27 Thread Ravi

Hi,

We are seeing instances when customer uploads his zip files which contains
core files/core dumps during scanning ClamAV is treating some of them as
“Heuristics.Broken.Executable FOUND”. Currently we have turned-on this
check in the clamd.conf as below.

*# With this option clamav will try to detect broken executables (both PE
and*
*# ELF) and mark them as Broken.Executable.*
*# Default: no*
*DetectBrokenExecutables yes*

The question is why ClamAV is treating core files/core dumps as
“Heuristics.Broken.Executable FOUND”. Is it safe to turn-off this setting
for ClamAV? or is there way to skip these checks for core files/core dumps
in ClamAV?

Thanks
Ravi
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps

Re: [clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps

Re: [clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps

[clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps

4 matches

Site Navigation

Mail list logo

Footer information