Re: [clamav-users] Scanning very large files in chunks

2016-08-11 Thread Paul Kosinski
After posting a while ago about scanning (extremely) large disk images, I realized that files need not be contiguous in a disk image. It all depends on the block allocation algorithm of the file system and, in many cases, to fragmentation that occurs as the disk is used. So, even if you could

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread ancien compte
thank you :) I went to see and read the archive mailing list and found the help i needed with my bad English :) 2016-08-11 17:45 UTC+02:00, Benny Pedersen : > On 2016-08-11 10:18, ancien compte wrote: >> i'v forgot :) >> >> wget -qO- http://www.kaspersky.fr/internet-security/ |

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

2016-08-11 Thread Steve basford
This was on the blog YARA rules using any of the following features will be flagged in error, and the respective rules will be disabled: Single byte YARA string components – currently in the ClamAV matcher, all strings, as well as components of strings delimited by wild cards, must be

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

2016-08-11 Thread Benny Pedersen
On 2016-08-11 19:32, Axb wrote: In that post aithor states: "I created some YARA rules that use the external variable „filename“ to work. LOKI and THOR use the „filename“ and other external variables by default." hmm... now how the heck do we get to happen with ClamAv? :) .. talking to

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

2016-08-11 Thread Axb
In that post aithor states: "I created some YARA rules that use the external variable „filename“ to work. LOKI and THOR use the „filename“ and other external variables by default." hmm... now how the heck do we get to happen with ClamAv? :) .. talking to myself... On 08/11/2016 07:29 PM,

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

2016-08-11 Thread Axb
Found it! https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/ see "rule Suspicious_Size_chrome_exe" and others... Assumed it was a "legal" keyword. On 08/11/2016 07:26 PM, Axb wrote: I picked the filename condition from a sample rule on a web site with

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

2016-08-11 Thread Axb
I picked the filename condition from a sample rule on a web site with a number of yara rules. Too bad I didn't bookmark it... Will try to find it again. On 08/11/2016 05:08 PM, Steven Morgan wrote: filename does not appear as a yara keyword:

Re: [clamav-users] Scanning very large files in chunks

2016-08-11 Thread G.W. Haywood
Hello once again, On Thu, 11 Aug 2016, sapientdust+cla...@gmail.com wrote: I scan a 4.5 GB file in multiple instream calls, by scanning the first 3 GB in one call, and then making a second instream call that provides the first N MB followed by the last 2 GB of the file. Would clamav be

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread Benny Pedersen
On 2016-08-11 10:18, ancien compte wrote: i'v forgot :) wget -qO- http://www.kaspersky.fr/internet-security/ | clamscan - stdin: Html.Exploit.CVE_2016_3326-3 FOUND hopefully thay read it here sooneer or later ? :=) i am not good at france so hopefully there webmaster can recieve mail

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

2016-08-11 Thread Steven Morgan
filename does not appear as a yara keyword: http://yara.readthedocs.io/en/latest/writingrules.html Is it a new keyword not yet in a released version of yara? Did you mean filesize? On Thu, Aug 11, 2016 at 5:21 AM, Axb wrote: > Guys, > > clamscan --database=test.yar

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread ancien compte
good job thx Le jeu. 11 août 2016 à 15:54, Alain Zidouemba a écrit : > The signature "Html.Exploit.CVE_2016_3326-3" has been removed and will be > update to take into account the false positives reported. > > Thanks, > > - Alain > > On Thu, Aug 11, 2016 at 6:36 AM,

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread Alain Zidouemba
The signature "Html.Exploit.CVE_2016_3326-3" has been removed and will be update to take into account the false positives reported. Thanks, - Alain On Thu, Aug 11, 2016 at 6:36 AM, ancien compte wrote: > and http://www.kaspersky.fr/internet-security etc is

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread ancien compte
and http://www.kaspersky.fr/internet-security etc is accessible now :) 2016-08-11 12:35 UTC+02:00, ancien compte : > it's works fine from freshclam update database > my daughter thx you too :) > > > Thu Aug 11 12:07:51 2016 -> Update process terminated > Thu Aug 11

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread ancien compte
it's works fine from freshclam update database my daughter thx you too :) Thu Aug 11 12:07:51 2016 -> Update process terminated Thu Aug 11 12:07:52 2016 -> -- Thu Aug 11 12:07:52 2016 -> Current working dir is /var/lib/clamav Thu Aug 11 12:07:52 2016 ->

[clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

2016-08-11 Thread Axb
Guys, clamscan --database=test.yar blah.html LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename" LibClamAV Error: cli_loadyara: failed to parse rules file test.yar, error count 1 test.yar: OK blah.html: OK test.yar rule TEST_BLAH_FILENAME { strings:

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread ancien compte
thx a lot 2016-08-11 11:14 UTC+02:00, Al Varnell : > That server does not belong to Cisco/SourceFire/ClamAV. You need to report > it to i...@securiteinfo.com. > > -Al- > > On Thu, Aug 11, 2016 at 02:07 AM, ancien compte wrote: >> >> Also, the mirror clamav.securiteinfo.com not

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread ancien compte
ok thx :) i was using script from jessie debian's repo 2016-08-11 11:14 UTC+02:00, Steve Basford : > > On Thu, August 11, 2016 10:07 am, ancien compte wrote: >> Also, the mirror clamav.securiteinfo.com not work, can't resolv it >> > That's an old 3rd party

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread Steve Basford
On Thu, August 11, 2016 10:07 am, ancien compte wrote: > Also, the mirror clamav.securiteinfo.com not work, can't resolv it > That's an old 3rd party signature domain... it's been gone a while.. Latest download scripts here: http://sanesecurity.com/usage/linux-scripts/ Cheers, Steve Web :

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread Al Varnell
That server does not belong to Cisco/SourceFire/ClamAV. You need to report it to i...@securiteinfo.com. -Al- On Thu, Aug 11, 2016 at 02:07 AM, ancien compte wrote: > > Also, the mirror clamav.securiteinfo.com not work, can't resolv it smime.p7s Description: S/MIME cryptographic signature

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread ancien compte
Also, the mirror clamav.securiteinfo.com not work, can't resolv it Best Regards 2016-08-11 10:22 UTC+02:00, Al Varnell : > Submit to . > > -Al- > > On Thu, Aug 11, 2016 at 01:18 AM, ancien compte wrote: >> >> wget -qO-

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread ancien compte
ok, thx i did it one hour ago :) have a nice day 2016-08-11 10:22 UTC+02:00, Al Varnell : > Submit to . > > -Al- > > On Thu, Aug 11, 2016 at 01:18 AM, ancien compte wrote: >> >> wget -qO- http://www.kaspersky.fr/internet-security/ | clamscan

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread Al Varnell
Submit to . -Al- On Thu, Aug 11, 2016 at 01:18 AM, ancien compte wrote: > > wget -qO- http://www.kaspersky.fr/internet-security/ | clamscan - > stdin: Html.Exploit.CVE_2016_3326-3 FOUND smime.p7s Description: S/MIME cryptographic signature

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread ancien compte
i'v forgot :) wget -qO- http://www.kaspersky.fr/internet-security/ | clamscan - stdin: Html.Exploit.CVE_2016_3326-3 FOUND --- SCAN SUMMARY --- Known viruses: 7809215 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.09 MB Data

[clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

2016-08-11 Thread ancien compte
hi, from every links inside "particular's links" http://www.kaspersky.fr/internet-security http://www.kaspersky.fr/total-security-multi-device http://www.kaspersky.fr/multi-device-security Nom du virus: Html.Exploit.CVE_2016_3326-3 may we trust it on /var/lib/clamav/sigwhitelist.ign2 ?