Re: [clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps
Ravi wrote: Thanks Kris for your comments. Currently we scan the incoming files(zips/archives) placed on the local hard drive with the clamdscan(which uses clamd daemon), Can you share more info on what you meant on handling the result differently if we are using the clamdscan? Whatever calls clamdscan needs to look at the results in more detail, and instead of just blindly treating any positive result as a virus, check the virus "name" to see if there is some other action, or if the result is something that should be let past. For instance, I've added checks to several mail systems that treat a resulting "virus name" of "Heuristics.Phishing.SpoofDomain" differently from other results, because that test (PhishingScanURLs) tends to FP on legitimate mail. The test is still valuable but it's not reliable as an absolute black/white result. In general, if you don't want certain things to cause false positives with a content filter, either: - don't pass those things to the filter in the first place, - handle the results from the filter differently for your problem case, - disable the problematic test(s) in the filter Exactly what changes you need to make for each of these will depend on how you're passing content to the filter, how you're accepting the scan results back, and how configurable the filter is. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps
Thanks Kris for your comments. Currently we scan the incoming files(zips/archives) placed on the local hard drive with the clamdscan(which uses clamd daemon), Can you share more info on what you meant on handling the result differently if we are using the clamdscan? Thanks Ravi On Tue, Nov 7, 2017 at 5:00 AM, Kris Deugauwrote: > Ravi wrote: > >> Hi, >> >> Looking forward for comments and suggestions for the below reported issue >> from the community. >> > > Well, to answer your original question, it looks to me like the test is > doing exactly what it's supposed to. Core dumps would quite reasonably > contain executable chunks, but may not contain the complete executable, or > may come out with wrong code entry points, and so they are "broken" when > assumed to be executable files. > > For your use case you should probably either turn this test off, or adjust > your filter system glue layer to handle this result differently. Whether > you can do the latter depends on how you call Clam. > > -kgd > > > > On Oct 27, 2017 4:09 PM, "Ravi" wrote: >> >> Hi, >>> >>> We are seeing instances when customer uploads his zip files which >>> contains >>> core files/core dumps during scanning ClamAV is treating some of them as >>> “Heuristics.Broken.Executable FOUND”. Currently we have turned-on this >>> check in the clamd.conf as below. >>> >>> *# With this option clamav will try to detect broken executables (both PE >>> and* >>> *# ELF) and mark them as Broken.Executable.* >>> *# Default: no* >>> *DetectBrokenExecutables yes* >>> >>> The question is why ClamAV is treating core files/core dumps as >>> “Heuristics.Broken.Executable FOUND”. Is it safe to turn-off this setting >>> for ClamAV? or is there way to skip these checks for core files/core >>> dumps >>> in ClamAV? >>> >>> Thanks >>> Ravi >>> >>> >>> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> >> > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps
Hi, Looking forward for comments and suggestions for the below reported issue from the community. Thanks Ravi On Oct 27, 2017 4:09 PM, "Ravi"wrote: > Hi, > > We are seeing instances when customer uploads his zip files which contains > core files/core dumps during scanning ClamAV is treating some of them as > “Heuristics.Broken.Executable FOUND”. Currently we have turned-on this > check in the clamd.conf as below. > > *# With this option clamav will try to detect broken executables (both PE > and* > *# ELF) and mark them as Broken.Executable.* > *# Default: no* > *DetectBrokenExecutables yes* > > The question is why ClamAV is treating core files/core dumps as > “Heuristics.Broken.Executable FOUND”. Is it safe to turn-off this setting > for ClamAV? or is there way to skip these checks for core files/core dumps > in ClamAV? > > Thanks > Ravi > > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps
Hi, We are seeing instances when customer uploads his zip files which contains core files/core dumps during scanning ClamAV is treating some of them as “Heuristics.Broken.Executable FOUND”. Currently we have turned-on this check in the clamd.conf as below. *# With this option clamav will try to detect broken executables (both PE and* *# ELF) and mark them as Broken.Executable.* *# Default: no* *DetectBrokenExecutables yes* The question is why ClamAV is treating core files/core dumps as “Heuristics.Broken.Executable FOUND”. Is it safe to turn-off this setting for ClamAV? or is there way to skip these checks for core files/core dumps in ClamAV? Thanks Ravi ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml