Re: [clamav-users] crdf threatcenter

On Wed, December 30, 2015 7:27 pm, sebast...@debianfan.de wrote: > Hi @all, > > > does anybody know, whats up with the crdf threatcenter ? > > I am not able to download the crdfam.clamav.hdb database. > Hi Sebastian, I tweeted them a few days ago, they said they were having a few issues and would

Re: [clamav-users] Finding the spoofed domain

On Tue, December 15, 2015 1:43 pm, Alex wrote: > Hi, > > > I have an email that was marked as having a spoofed domain, but I > believe it's a false-positive. It's one of those smartbrief.com > newsletters. > > How do I find out which domain specifically it thinks was spoofed? --debug will help...

Re: [clamav-users] Detection in windows but not Linux

On Sun, December 13, 2015 2:25 am, Kurt Fitzner wrote: > > The file is definitely malware - it was injected through a WordPress > vulnerability. I have a virus scan that runs hourly on my wordpress folder > just for that reason, but this one slipped through the cracks. I want to > find out what

[clamav-users] Sanesecurity news: Scripts 0.99

Just in case anyone isn't subscribed to the Sanesecurity list, a re-post of download script news for 0.99 and Yara: http://www.freelists.org/post/sanesecurity/Sanesecurity-News Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com ___ H

Re: [clamav-users] mail follow url

On Thu, November 26, 2015 4:00 pm, polloxx wrote: > In http://www.clamav.net/documents/installing-clamav#requirements I read: > > > Optional: > > > GMP: for digital signatures > *cURL: for mail follow url* > > > > Does this mean that clamav scans URL's in mails? > Thu Aug 6 22:26:30 CEST 2009 (t

Re: [clamav-users] mail follow url

On Thu, November 26, 2015 4:00 pm, polloxx wrote: > In http://www.clamav.net/documents/installing-clamav#requirements I read: > > > Optional: > > > GMP: for digital signatures > *cURL: for mail follow url* > > > > Does this mean that clamav scans URL's in mails? Hi, It *used* to a long time a

Re: [clamav-users] Fw: RE: Re: clamdscan t...

On Mon, November 23, 2015 4:18 pm, Matus UHLAR - fantomas wrote: > seems that someone with ***idiotic antispam rules** has subscribed to this > list... aka how to let a user down gently... :) Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com _

Re: [clamav-users] handling multiple hits on CVE-2015-7645?

Create a localfp.ign2 file with the following line in it in your ClamAV database folder: Swf.Exploit.CVE_2015_7645 Restart clamd Hopefully the FP will be officially fixed soon. Cheers, Steve Web: sanesecurity.com Blog: sanesecurity.blogspot.com On 22 November 2015 12:52:04 "Orrick, Diana"

Re: [clamav-users] Clamav fails to detect exe within rar

Hi Alex... do you have libunrar  ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml

Re: [clamav-users] old stuff from Windows95

On Tue, November 17, 2015 11:56 am, ellanios82 wrote: > On 11/17/2015 12:46 AM, Joel Esler (jesler) wrote: > >> Please submit false positive reports on the website. > - thanks : did try but failed , due my PC runs Linux : ClamAV > webpage RadioButtons stuck : cannot change from Windows to Linux [

Re: [clamav-users] False positive on go source code using PUA

On Wed, November 4, 2015 6:03 am, P K wrote: > Hi, > > > I tried clamdscan with PUA enabled on go source code and seen an error. > issue6550.gz: PUA.File.Exploit.CVE_2012_1461 https://www.virustotal.com/en/file/c809983cf1b4f11552a1880272e3002a963a39c453b4883bf47e5c2cfc8f2a47/analysis/1446632226/

Re: [clamav-users] negate part of signature

On Fri, October 30, 2015 8:07 am, Deyan Chepishev wrote: > Hello, > > > Thank you for the answer. > > > There is probably something missing in the doc, because the signature is > not properly working with the current clamav release 0.98.7 > I confirm the same here... I think it was a bug that's

Re: [clamav-users] ERROR: clamfi_eom: FD send failed: Broken pipe

On Wed, October 28, 2015 1:25 pm, Urban Loesch wrote: > Hi, > > > today I moved my clamav-milter and clamd installation (linux container) > to a brand new hardware. Know I get this strange errors in the log any 3-5 > minutes. > Did a quick google... https://i-mscp.net/index.php/Thread/9756-ClamA

Re: [clamav-users] ClamAV not detecting malware

On Wed, October 28, 2015 11:57 am, Matthias Hank wrote: > Hi, > > > almost a week ago i uploaded a malware sample via ClamAV Website which > was not detected by ClamAV. > Just going to grab lunch but you can do this for quickness.. create a myhashes.hdb file with the following inside it: 8e8e75

Re: [clamav-users] Interesting report from clamscan after adding new database

On Thu, October 15, 2015 4:03 pm, Gene Heskett wrote: > Greetings everybody; > > > I added a new, not quite official database to my clamav checker, and this > morning its fussing about several files I have on my web page: > /var/www/html/gene/Genes-os9-stf/dw4_beta_1.4.tar.gz: > Sanesecurity.Foxh

Re: [clamav-users] Interesting report from clamscan after adding new database

On Thu, October 15, 2015 4:03 pm, Gene Heskett wrote: > Greetings everybody; > > > I added a new, not quite official database to my clamav checker, and this > morning its fussing about several files I have on my web page: > /var/www/html/gene/Genes-os9-stf/dw4_beta_1.4.tar.gz: > Sanesecurity.Foxh

Re: [clamav-users] Trouble with foxhole

On Wed, October 14, 2015 9:45 am, Gene Heskett wrote: > I am with rajesh on this. clamav's hit rate, and I run every incoming > mail past it, is disgustingly poor at detecting this stuff. I have fed 500 > or more of these *^%$ .zip or .doc attachments to sa-learn spam, probably > poisoning its da

Re: [clamav-users] Trouble with foxhole

On Wed, October 14, 2015 7:37 am, Rajesh M wrote: > > Sanesecurity.Foxhole.7z:CL_TYPE_7Z > Sanesecurity.Foxhole.Rar:CL_TYPE_RAR etc.. Hi rajesh, Yep, the above will work... but could cause high FP's for some people which they might find unacceptable, depending on their setup. If anyone has a ni

Re: [clamav-users] Trouble with foxhole

On Wed, October 14, 2015 7:23 am, Hartmann, Jan wrote: > > > Hi, > Today we had a lot problems with exe files hidden in zip archives > > > I tried to add the foxholedb to our clamav, but sadly it didn’t > recognize the exe in the zip. > > > clamscan --database=/var/lib/clamav/foxhole_generic.cd

Re: [clamav-users] Match alternate bytes?

Hi kris, I added a sig to detect some of these in phish.ndb. If you send me some samples I'll have a look to see if it matches. On 8 October 2015 17:14:58 Kris Deugau wrote: I've been seeing Javscript malware on and off where (one layer of) the Javascript obfuscation is done by taking the r

Re: [clamav-users] DB update and clamav-milter delay

On Tue, September 29, 2015 9:15 am, Marco wrote: > I tried to relax the upgrades, but I see the problem is the time spent > to reload the db: > > 2015-09-29T01:03:15.710526+02:00 av2 clamd[15201]: Reading databases > from /var/lib/clamav 2015-09-29T01:03:53.151179+02:00 av2 clamd[15201]: > Databa

[clamav-users] Fp report

Just spotted this go report https://twitter.com/hanno/status/642067768616046592 Anyone else seeing issues: https://www.reddit.com/r/sysadmin/comments/3kg08m/gmail_flagging_company_docs_as_viruses_when/ ___ Help us build a comprehensive ClamAV guide:

Re: [clamav-users] Freshclam problem

On Thu, August 13, 2015 9:11 pm, Paul wrote: > Hi > > > A patch for current 0.98.7 would be much appreciated. As a simple > network outage at the wrong time causes havoc with several systems. > > Paul Hi Paul, Just in case this helps... https://github.com/vrtadmin/clamav-devel/commit/7cbadfa4b2

Re: [clamav-users] Freshclam problem

On Thu, August 13, 2015 2:20 pm, Paul wrote: > > If I use DatabaseCustomURL http://sitethattimes.out/file.hsb in > freshclam.conf freshclam exits from daemon mode !! Hi Paul, I can confirm the same issue under Win with the latest beta too. I've raised a Bugzilla... https://bugzilla.clamav.net/

Re: [clamav-users] ClamAV Update Authenticity?

On Tue, August 11, 2015 9:31 pm, Benny Pedersen wrote: > http://sanesecurity.com/ is a wordpress site that is infacted with > mailware popups :( > Ok, sweetcaptcha plugin removed. For the technically interested... https://blog.sucuri.net/2015/06/sweetcaptcha-service-used-to-distribute-adware.h

Re: [clamav-users] ClamAV Update Authenticity?

On 11 August 2015 21:31:40 Benny Pedersen wrote: there is download scripts that automate this, ironical http://sanesecurity.com/ is a wordpress site that is infacted with mailware popups :( Everything is kept up-to-date wordpress and plugins wise but think I've identified the plugin which

Re: [clamav-users] block access to file using scan on access option

On Mon, August 10, 2015 10:58 am, kamil kapturkiewicz wrote: > Hi, > I am trying to configure Scan On Access with ProFTPD server to block > acccess to file (not only mark as FOUND): Not my area but Found this from an archive... -- You could write a virusevent script, put VirusEvent /path

Re: [clamav-users] virus samples

Could you resend to: samp...@sanesecurity.me.uk On 8 August 2015 10:08:47 "sebast...@debianfan.de" wrote: Hi @all, i have 37 Files - which are not detected by clamav. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/

Re: [clamav-users] [Fwd: [sanesecurity] Hacking Team detection]

> Steve: > Thank you, but for those of us who haven't played with our configuration > for quite a while as its been Just Working(TM) for a year or more, a > pointer to a URL showing how to incorporate this into the working configs > we have would be appropriate. > > Cheers, Gene Heskett > Hi, The

[clamav-users] [Fwd: [sanesecurity] Hacking Team detection]

Just in case it's useful... Original Message Subject: [sanesecurity] Hacking Team detection From:"Steve Basford" Date:Fri, August 7, 2015 9:43 am To: sanesecurity_annou...@freelists.org Cc: sanesecur..

Re: [clamav-users] Fwd: Unable to detect pdf virus

On Tue, July 28, 2015 3:41 pm, P K wrote: > So how to detect same in my clamAv? > Until a proper sig is added, you could try clamscan --detect-pua=yes Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com ___ Help us build a comprehe

Re: [clamav-users] Fwd: Unable to detect pdf virus

On Tue, July 28, 2015 3:27 pm, P K wrote: > a3e8a7602797c69f6320225e8137d063 exploit.pdf > ClamAV isn't showing detection here: https://www.virustotal.com/en/file/61c9333604404addf7e3aaf97f89d4ed3bf6fe4d12bd3e98bc7232ebfd9f0c5b/analysis/ But does detect using PUA: ClamAV: Possibly Unwanted Ap

Re: [clamav-users] HackingTeam hashes

On Tue, July 21, 2015 3:55 pm, Jörg Stephan wrote: > Hi there, > > > I guess you know that a team has released a tool to check for HackingTeam > files. The provided a test tool including the file hashes of the files. > > As I am seem to be "under"-skilled to create a database for this, I will >

Re: [clamav-users] problem reading socket while updating database

On Thu, July 9, 2015 11:11 am, Arnaud Jacques / SecuriteInfo.com wrote: > Thank you for the benchmarks Steve. > We are aware of this problem. With more than 1 million signatures, it > takes too much ram/cpu on lower hardware systems. ATM, we mainly focus on > javascript.ndb and securiteinfohtml.h

Re: [clamav-users] problem reading socket while updating database

On Wed, July 8, 2015 9:30 pm, Jingo Administrator wrote: > I am planning to drop the SecuriteInfo.com signature libraries first, > because these were the last I added and after that the issue began to pop > up. > I am planning to drop the SecuriteInfo.com signature libraries first, > because thes

Re: [clamav-users] problem reading socket while updating database

On Wed, July 8, 2015 5:09 pm, Jingo Administrator wrote: > Well, I agree my hardware isn't rather stunning and doesn't help to > (dramatically) reduce the time it takes for clamav to reload the > database. I will draw my conclusion and start to drop the 3rd party sigs. What signatures (3rd Party

Re: [clamav-users] Freshclam Question

On Tue, June 30, 2015 1:57 pm, Nixon, R A (AL) CIV USARMY SEC (US) wrote: > > My organization has been using Freshcalm to update virus definitions for > a number of years. We are United States based and set the database mirror > accordingly. In the past month we have notice that the Database mirr

Re: [clamav-users] clamav 0.99 beta yara

On Thu, June 25, 2015 10:50 pm, Steven Morgan wrote: > Steve, > > > One more question: is Sansecurity planning to distribute yara signatures > when 0.99 final is released? This will help with appropriate scheduling of > any parameter implementations. Well, there's a new download script with Yara

Re: [clamav-users] clamav 0.99 beta yara

Just a few more question to think about... 3) Clamscan --official-db-only=yes Will that only apply to ndb's or to Yara too... or do we need --official-yara-only=yes? 4) Clamscan --yara-signatures=no Will there be an option like the above to disable Yara sigs 5) Will there be an option to *on

[clamav-users] clamav 0.99 beta yara

Couple of pre-coffee questions... 1) >From what I can tell Yara signature names will be generated based on the yara rule name provided... eg: testname.yara: rule Sanesecurity.test { strings: $match1 = "test" $ignore1 = "this1" $ignore2 = "this2" condition: $match1 and not ($ignore1 or $ignore2

[clamav-users] daily.ftm

Hi, Wasn't sure if this should be a bugzilla or not but... daily.ftm seems to be out-of-sync with the latest filetypes_int.h Eg, 4546492050415254 is missed and a few of the newer ones. Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com __

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99b Meets YARA!

On 11 June 2015 20:41:13 Alain Zidouemba wrote: This has been supported since the introduction of logical signatures (ldb) in ClamAV 0.94. Yep, I'm already using the ldb feature but a yara rule using the feature would make things easier to auto generate mostly, which it geat news. __

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99b Meets YARA!

On 11 June 2015 16:37:09 Steven Morgan wrote: Steve Here is a quick demo for your question. The file names in this test are the same as the file content: rule basford { strings: $match1 = "bbb" $ignore1 = "n" $ignore2 = "zbcz" condition: $match1 and not ($ignore1 or $ignore2)

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99b Meets YARA!

On Thu, June 11, 2015 3:51 pm, Steven Morgan wrote: > > We've borrowed the yacc/lex code from yara project. Hi, Does that mean ClamAV will support this condition in the current beta: $match1 and not ($ignore1 or $ignore2) I'll wait to test once windows binary beta arrives... or find a bit of t

Re: [clamav-users] ClamAV® blog: ClamAV 0.99b Meets YARA!

Hi Tom, I certainly don't see why Yara rules aren't going to be rsynced, I'll chat with you off list. On 5 June 2015 16:33:16 TR Shaw wrote: Steve I have my own yara rules. Are you going to accept them for rsync? Tom On Jun 5, 2015, at 11:02 AM, Steve Basford wrote: &

Re: [clamav-users] ClamAV® blog: ClamAV 0.99b Meets YARA!

On Wed, June 3, 2015 8:02 pm, Joel Esler (jesler) wrote: > > ClamAV 0.99b Meets YARA! > The first beta release of ClamAV 0.99 is now on SourceForge! ClamAV 0.99 > Since this is such a large feature, please help us by downloading, using, > and testing this feature and reporting bugs via our usual

Re: [clamav-users] Submission status

On Fri, May 22, 2015 4:32 pm, sebast...@debianfan.de wrote: > Are there any specialties die Sendung samples - f.e. zipping with > password ? > You can zip with password infected if you need to...but not 100% needed. or maybe use http://free.mailbigfile.com/ Cheers, Steve Web : sanesecurity.com

Re: [clamav-users] Submission status

Hi Fred, Can you send me the missed samples please samp...@sanesecurity.me.uk ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml

[clamav-users] [Fwd: [sanesecurity] extremeshok/clamav-unofficial-sigs :: version 4.3 (updated 2015-05-13)]

Hi All, Just in case this is useful to anyone: Adrian of extremeshok-dot-com has forked Bill Landry's clamav-unofficial-sigs script and made quite a few new changes to the script: Original Message Subject: [sanesecurity] extremeshok/clam

Re: [clamav-users] virus detection status

On Wed, May 13, 2015 5:49 am, Dmitry Melekhov wrote: > Hello! > > > We are using clamav for years fo e-mail virus filtering, and it worked > OK for us, > but last several weeks we found that clamav doesn't recognize many viruses > like js, or xls macros. I submitted one of viruses several weeks ag

Re: [clamav-users] using clamdscan and clamd to do complete file system scan

On Thu, April 30, 2015 7:18 am, Al Varnell wrote: > A family of Linux malware that stayed under the radar for more than 5 > years: > "Unboxing Linux/Mumblehard: Muttering spam from your servers" > ng-spam-servers/> I've

Re: [clamav-users] Sanesecurity .hdb databases integrity tested BAD

On Fri, April 24, 2015 8:38 am, Alessandro Vesely wrote: > Hi, > > > I've been getting these log it's for a couple of days now: > > > Clamscan reports Sanesecurity honeynet.hdb database integrity tested BAD > - SKIPPING See this post: http://lurker.clamav.net/message/20150423.072453.3394b584.en.

Re: [clamav-users] concerning foxhole databases

On Thu, April 23, 2015 12:03 pm, Rajesh M wrote: > i am using foxhole_all.cdb foxhole_filename.cdb foxhole_generic.cdb but > does not work > > how do i block .cab extension even if they are within zip or rar or 7z > files. Hi Rajesh In your sample...a-to-z_moving_and_delivery.zip Using datab

Re: [clamav-users] concerning foxhole databases

On Thu, April 23, 2015 12:03 pm, Rajesh M wrote: > > how do i block .cab extension even if they are within zip or rar or 7z > files. > > thanks > Hi Rajesh Can you zip all the zips up, with password infected and email to: samp...@sanesecurity.me.uk Cheers, Steve Web : sanesecurity.com Blog: sa

[clamav-users] [Fwd: securiteinfo problems]

Just a heads up for Bill Landry's ClamAV Unofficial Signatures Updater script users Original Message Subject: securiteinfo problems From:"Steve Basford" Date:Thu, April 23, 2015 8:24 am To: san

Re: [clamav-users] clamscan --exclude=REGEX

On Thu, April 16, 2015 2:50 pm, sanes wrote: > The following exclude does not work (the scan will check the file) > > > clamscan -r --exclude="c:\Windows\System32\mobsync.exe" c:\ > > Please advise why exclude not working This works... don't think you can use a path... C:\clamav>clamscan --exclu

Re: [clamav-users] Exclude multiple files with Windows version of clamscan

On Tue, April 14, 2015 6:34 pm, sanes wrote: > Please advise how to use a Text File with a list of Files to Exclude from > clamscan (Windows Version). > > Have only found postings with Unix-type solutions > > > clamscan --exclude='text file containing list of files' Not ideal but this sort of t

Re: [clamav-users] basic malware missed???

On Tue, March 24, 2015 9:40 pm, Steve Holdoway wrote: > Hi folks, > > > I'm in the process of cleaning up an infected wordpress website and am > finding a number of files that contain > Shouldn't this be in there already? If there is a process to add this > can someone please point me to the docs

[clamav-users] [Fwd: remittance-advice xml malware]

Sorry for the post but being hit hard with these atm... Original Message Subject: remittance-advice xml malware From:"Steve Basford" Date:Wed, March 4, 2015 11:17 am To: sanesecurity_annou...@freelists.org Cc:

[clamav-users] EquationAPT sigs

Hi All, EquationAPT is in the news... so in case this is useful... copy the following to EquationAPT.hdb: 03718676311de33dd0b8f4f18cffd488:376320:Sanesecurity.Rogue.EquationAPT.1 0a209ac0de4ac033f31d6ba9191a8f7a:184320:Sanesecurity.Rogue.EquationAPT.2 11fb08b9126cdb4668b3f5135cf7a6c5:212480:Sane

Re: [clamav-users] certificates

On Mon, February 9, 2015 11:03 am, Al Varnell wrote: > Yes, I’m seeing the same thing with Safari for OS X. I also get an > expired 22 Oct 2014 certificate for the wwws.clamav.net/bugzilla site. Hi Al, Thanks for the confirmation. Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspo

[clamav-users] certificates

Hi, Can anyone confirm... In one of the latest source files: "+ \end{itemize} + \item For more information and examples please see \url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=164}."; The urls: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=164 and https://www.clamav.net/ fo

Re: [clamav-users] Custom clamav rule to block exe and scr files in archive.

On Thu, February 5, 2015 9:30 am, Virgo Pärna wrote: > On Thu, 5 Feb 2015 09:11:16 -0000, Steve Basford >It does not match urls inside the > mail content. Also, since regexes are actually case sensitive, it does not > match *.EXE. So there's that. Hi Virgo, (?i) will sort

Re: [clamav-users] Custom clamav rule to block exe and scr files in archive.

> I created exe_in_archive.cdb file in clamav database directory, that > contains: > Archived_EXE:*:*:.*\.exe:*:*:*:*:*:* For got to add that the above sig, as you are using a *wildcard* ContainerType, means that any exe in the following types will be blocked: ContainerType: one of CL_TYPE_ZIP,

Re: [clamav-users] Custom clamav rule to block exe and scr files in archive.

On Thu, February 5, 2015 8:46 am, Virgo Pärna wrote: > Recently I have received some viruses that have scr inside zip > arhcive inside zip archive. And also there have been some cab's containing > exe files. > Might be worth having a look here too... http://sanesecurity.com/foxhole-databases/

Re: [clamav-users] Protection from cryptowall/cryptolocker

On Tue, December 23, 2014 6:35 pm, Alex Regan wrote: > I'd appreciate any further documents or other methods of protection that > people are using to block these? ClamAV and Sanesecurity signatures will help block malware which is emailed in, which can then download exploit packs, some of which

Re: [clamav-users] url scanner

On Thu, December 18, 2014 2:29 pm, polloxx wrote: > Since more and more malware is not attached to a mail but only an url to > it, detecting it is challenge. Is there any good url scanner avalable for > Clamav? Millions of years ago...there used to be a clamd.conf MailFollowURLs Yes option, whic

Re: [clamav-users] sigwhitelist.ign2 whitelist not working

On Tue, December 9, 2014 1:33 pm, polloxx wrote: > > % cat local.ign2 > SecuriteInfo.com.Spammer.ec-messenger.com.UNOFFICIAL > SecuriteInfo.com.Spammer.addemar.com.UNOFFICIAL Ah, ok...remove the ".UNOFFICIAL" off the end and restart clamd. Cheers, Steve Sanesecurity.com __

Re: [clamav-users] sigwhitelist.ign2 whitelist not working

On Tue, December 9, 2014 1:23 pm, polloxx wrote: > We have the same problem with signatures we want to whitelist. Was this > problem ever solved? Hi, What sig name are you whitelisting? Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive

Re: [clamav-users] Clamd: WARNING: lstat() failed on

On Mon, November 24, 2014 11:21 am, stephen.b...@tanint.com wrote: > > I'm hoping someone can shed some light on an issue I'm experiencing... > Seem to remember a post a while ago... to do with AllowSupplementaryGroups ? clamd.conf... AllowSupplementaryGroups true Cheers, Steve Sanesecurity.

Re: [clamav-users] ClamAV® blog: ClamAV 0.98.5 has been released!

On Tue, November 18, 2014 10:11 pm, Joel Esler (jesler) wrote: > > > ClamAV 0.98.5 has been released! Windows 32/64 bit binaries here: http://sourceforge.net/projects/clamav/files/clamav/win32/0.98.5/ Cheers, Steve Sanesecurity.com ___ Help us buil

Re: [clamav-users] Fwd: What is the signature count?

On Fri, October 10, 2014 7:05 am, Prasanna Lotke wrote: > Can anyone tell me how many signatures does Clam virus database have? Or > how many malwares can it detect? Not had coffee yet but here's a quick summary of counts Current Official: main.cld is up to date (version: 55, sigs: ***2,424

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

On Fri, October 3, 2014 12:19 pm, Tim Smith wrote: > > Over the last 24-48 hours, I submitted a number of email attachments. > RAR files that contained viruses. > > Running one or two of them through VirusTotal today, I see ClamAV have > *STILL* not managed to produce virus definitions for them !

Re: [clamav-users] False positives phishing sites

On Tue, September 23, 2014 12:44 pm, Thorvald Hallvardsson wrote: > Anyone would like to point me into the right direction and help me out > with the problems I'm having ? Report as an FPs here: http://cgi.clamav.net/sendvirus.cgi ClamAV team will need to add hosts to the daily.wdb database to

Re: [clamav-users] Daily.cvd file

On Thu, September 18, 2014 5:59 am, Paul Kosinski wrote: > When ClamAV was independent, every new release had an updated > main.cvd, and the daily.cvd files were of modest size. Now the whole > 0.98.x > series has the same main.cvd, and the daily.cvds keep getting bigger. The > immediately previo

Re: [clamav-users] Joomla Templates - False Possitive

On Wed, September 17, 2014 1:53 pm, James Meason wrote: > Uploaded! (Zip.Suspect.MiscDoubleExtension-zippwd-4 FOUND) Hi James, ClamAV team have created a signature which helps block double attachments, in much the same way that the Sanesecurity foxhole sigs have been doing for a while now. How

Re: [clamav-users] Problem with missing information

On Tue, September 9, 2014 9:48 am, Denny Bortfeldt wrote: > > I've got a little problem and don't know what happen to my system. > Everytime I start "clamscan" or "freshclam" I get the following error: Hi Denny, There's a few posts with that sort of "no version information available" error...

Re: [clamav-users] Hint for creating signatures

On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote: > > What should i do now? Is there a trick to find a signature which fits > for all samples or i have to create a different signature for every > sample? Hi, Tricky :( Copy this into@ not_tested.ndb test.ercynpr:7:*:3D7374725F726F74313328?

Re: [clamav-users] Sanesecurity:foxhole-databases

On Fri, September 5, 2014 8:21 pm, Dennis Peterson wrote: > Steve - thanks for your contribution to the success of the ClamAV > products. One question for you - how does determine the current version of > the files you distribute? One of the foxhole signature files I have is > from May, for examp

[clamav-users] Sanesecurity:foxhole-databases

Hi All, For those using Sanesecuriy foxhole databases, I've finally updated their usage information: http://sanesecurity.com/foxhole-databases/ Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin

Re: [clamav-users] False positive for sure

On Wed, September 3, 2014 12:54 pm, Gene Heskett wrote: >> >> ”—detect-pua” switch for clamscan or disable it in the clamd.conf file. >> > > Which one?, I have 3 of them. This is an old ubuntu 10.04 LTS install. > Also its reported as version 98.1. If you are using clamscan then I guess you've g

Re: [clamav-users] False positive for sure

On Wed, September 3, 2014 12:38 pm, Gene Heskett wrote: > > So as its been yonks since I setup the daily machine scan, where do I > turn off this particular PUA feature? ”—detect-pua” switch for clamscan or disable it in the clamd.conf file. Cheers, Steve Sanesecurity

Re: [clamav-users] False positive for sure

On Wed, September 3, 2014 11:56 am, Gene Heskett wrote: > Ok, I'll byte, whats a PUA? Here's a good description... Q. What is a Potentially Unwanted Application (PUA)? A. The Sophos definition of a PUA is (quote) "a term used to describe an application that is not inherently malicious, but is g

Re: [clamav-users] sanesecurity file size limit

On Wed, August 27, 2014 12:25 pm, Rajesh M. wrote: > in my clamd.conf file the size upto which the files will be scanned is 30 > mb ie max email size in my smtp session. > > how do we solve this issue. Sorry for this being brief/incorrect as I'm on holiday-ish ;) Qmail... http://major.io/200

Re: [clamav-users] Priority problem

On Wed, July 23, 2014 10:41 am, Bernard Thédié wrote: > I'm using clamav under Linux. I've scheduled a daily scan of my home > dir. I would like to know if there's a way of telling clamscan to run more > nicely ; actually when clamscan runs, it takes between 75 and 90% of my > CPU ! I would rathe

Re: [clamav-users] ClamAV®: Compiling OpenSSL For Windows

Just a thought.. Will ClamAV use LibreSSL too, as it's supposed to be drop in On 9 July 2014 20:14:01 GMT+01:00, "Joel Esler (jesler)" wrote: >Compiling OpenSSL For Windows > > >In order to support more advanced features planned in future releases, >ClamAV has switched to using OpenSSL for hashi

Re: [clamav-users] Custom signature question

I guess, if you *really* wanted to block mp3's being emailed you could create a type4 ndb signature to match the mp3 base64 in the email ? eg... email format... == Content-Type: audio/mpeg; name="test.mp3" Content-Transfer-Encoding: base64 Content-Disposition: attachment;

Re: [clamav-users] Custom signature question

On Tue, July 8, 2014 3:41 pm, a...@alb.de wrote: > alex:~$ dd if=mp3file.mp3 count=1 | sigtool --hex-dump > alex:~$ clamscan mp3file.exe Hi Alex, In the daily.ftm file, mp3 filetypes are ignored. 0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED Cheers, Steve Sanesecurity

Re: [clamav-users] [Heuristics.Structured.SSN]

On Thu, July 3, 2014 2:08 pm, Chris wrote: > Below are the headers of the most recent mail that was hit the email > itself was all html. Since this is just a home system with mine and my > wifes email what's the best way to keep this from happening? Hi Chris, According to clamd.conf the default

Re: [clamav-users] Malformed database?

On Wed, June 25, 2014 11:00 am, Paul Smith wrote: > > It looks like my version is from the ClamWin ClamAV Unofficial Win32 > port. It's slightly customised which is why it's still an old version. Ah ok. There is also... Native 0.98 here... http://oss.netfarm.it/clamav/ Native 0.98.4-rc1: https

Re: [clamav-users] Malformed database?

On Wed, June 25, 2014 9:57 am, Paul Smith wrote: > Using ClamAV 0.97.2, since yesterday's update Freshclam gives this when > trying to download a fresh database: Hi Paul, Much newer binaries here (0.98.4), does it work ok with this version... http://sourceforge.net/projects/clamav/files/clamav/

Re: [clamav-users] Bad detection rate

On Mon, June 23, 2014 4:47 pm, Walter Bürger wrote: > > About 4 hours later I checked again and > 12 out of 54 scanners detected a virus in this file > but ClamAV did not detect it. I know 4 hours sounds a long time but when you consider the current amount of malware that is submitted / auto-subm

Re: [clamav-users] Bad detection rate

On Mon, June 23, 2014 4:47 pm, Walter Bürger wrote: > > This morning I submitted the file > Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe > (MD5 ad690be247dda635781e20887fcac0e7) > on virustotal.com. > > 4 out of 54 scanners detected a virus > (NOD32 named it Win32/Kryptik.CFAE) >

Re: [clamav-users] FN with unknown virus attachment

> Okay, great, thanks. Can you describe the risk for me? What does it do, > and what's necessary for the user to do to become infected? It appears to > be a rogue link phishing attack? So it requires the user to open the Word > doc then click the link, correct? Hi Alex, 1. I used strings on the

Re: [clamav-users] FN with unknown virus attachment

On Sat, June 21, 2014 2:00 pm, Alex wrote: > Hi, > I'm using clamav-0.98.4 on fedora20 with the sanesecurity and safebrowsing > sigs and still seeing an unknown virus pass through our systems. I've > submitted it to the clamav false-negative upload, but haven't received a > response, and 24hrs la

[clamav-users] DatabaseCustomURL question

Hi, Does anyone have DatabaseCustomURL in their freshclam.conf: I've just tried this format... DatabaseCustomURL http://blahblahblah.com:/test.cud And I get an "Unknown error" :) ClamAV update process started at Thu Jun 19 14:14:24 2014 WARNING: Can't get information about blahblahblah.com

[clamav-users] building a cud file

Hi All, I'm playing with .cud file creation from a couple of files... testdb folder COPYING testdb.hdb testdb.ndb set SIGNDUSER=me sigtool --datadir=testdb --build=testdb.cud --unsigned --cvd-version 1 WARNING: build: Signatures in testdb db files: 2674, loaded by libclamav: 5348 Total sigs:

Re: [clamav-users] DatabaseCustomURL question

> > As it stands right now, freshclam does not support custom ports. However, > we can add that functionality for a future release. Thanks for the quick reply. I'll add a bugzila... Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamA

[clamav-users] DatabaseCustomURL question

Hi, Does anyone have DatabaseCustomURL in their freshclam.conf: I've just tried this format... DatabaseCustomURL http://blahblahblah.com:/test.cud And I get an "Unknown error" ? :) ie... ClamAV update process started at Thu Jun 19 14:14:24 2014 WARNING: Can't get information about blahbla

[clamav-users] building a cud file

Hi All, I'm playing with .cud file creation from a couple of files... testdb folder COPYING testdb.hdb testdb.ndb set SIGNDUSER=me sigtool --datadir=testdb --build=testdb.cud --unsigned --cvd-version 1 WARNING: build: Signatures in testdb db files: 2674, loaded by libclamav: 5348 Total sigs:

<    1   2   3   4   5   6   >